The EU is harmonising its law on security. Alan Horgan, VP of sales at Veritas, discusses what organisations need to do to change.
Q: Do you think many businesses are aware of the implications of the new law?
Yes, many businesses are aware of the new GDPR legislation but the questions I believe many are asking is where to start and what exactly they should do to ensure compliance. Any company that sells goods or services to any of the EU member states, or indeed handles any of the data of its half a billion residents have twenty months to develop a strategy and processes to abide by the new law.
Q: In your opinion, what is the most critical part of EU GDPR – the fact that businesses could be fined a significant amount of turnover for non-compliance, or that they will be forced to report a data breach when it happens?
Both factors are equally important.
The new Regulation has been developed to harmonize the approach to data privacy in the modern era of digital transformation. It replaces outdated laws when we did not have widely used internet, cloud computing or mobile devices that contain huge amounts of personal information and tracking data.
The fines have been increased so it is no longer an option to weigh up the costs of compliance against the risks of prosecution and breaking the principles could result in huge penalties of up to 4% of global turnover or €20million Euros, whichever is greater.
The new obligations on breach notification will drive better transparency and accountability of those that collect and process personal data. Clearly reporting a breach as the law requires could have an effect on brand image and reputation, and so there is an extra impetus to ensure that breaches do not occur in the first place.
Q:What steps should businesses take to plan for the arrival of the new law – please outline them in detail?
- Get your grips with your Databerg
To process personal data in a GDPR-compliant way, an organisation needs to precisely know where this data is stored and what it is. Unfortunately most organisations have an average of 52% dark data – according to a Veritas study. If you don’t know what data you hold and where it is, you simply can’t comply.
Business with 250 employees or more must keep auditable records of processing of personal data, but without a reliable record of process activities it’s hard for any organisation to prove compliance, which is a key requirement of the GDPR, under the new principle of Accountability. Compliance teams also need to know if the personal data goes outside the European Economic Area so they can put the right data transfer agreements in place to ensure that the transfers are lawful. And they need to be able to assess whether it’s still needed, and delete it if it’s not to comply with the principle of Storage Limitation. To achieve this:
– Interview employees to understand how they obtain, use and disclose personal data. Do this in combination with a review of the way your systems process personal data, and reconcile the two. This is the basis of your auditable processing record, and a map that will guide you when you review your data management policies and processes to bring them into line with the GDPR
– Use technical tools to gain insight into the dark data that you already hold, both content and location; Veritas has a suite of tools that will help you do this, and re-connect the data that’s stored with the business that owns it. Most businesses have a blind spot when it comes to dark data, but it’s costly to store and after 2018 failure to manage it could attract a fine
– Delete what you don’t need, and formulate policies and procedures that will prevent the Databerg re-accumulating
- Establish processes to find data quickly
Each individual within the European Union will get new and improved rights under GDPR. For example each individual have the right to have copy of all the personal data that is held on them, the right to demand erasure or correction of the data, to have its processing restricted, or have their personal data ported to another organisation. These requests must be fulfilled without undue delay, and within one month of the request. It is possible to have extension of up to two further months’ maximum in the case of complex or numerous requests. These timelines may look generous, but the volume of personal data that many organisations may hold on individuals and the time it takes to consider the legitimacy of the request, retrieve the personal data, read it, and consider what redactions need to be made, and to gain any compliance approvals means that the timeline can be challenging to meet. Failure to meet the timeline attracts the “major breach” fine.
If your business gets a request from a data subject, can you find their data to action it? Can you do it quickly?
To be able to be a fast responder:
– Make sure that you do not hold personal data for longer than is necessary and have the tools and processes to locate it quickly in both your structured and unstructured electronic systems
– Establish an easy way to pass the personal data you retrieve to the compliance team for review
– Create procedures to ensure the right personal data is disclosed/deleted/corrected/ported/restricted
– Create auditable logs so that you can prove that you did what you said you did
- Don`t forget the basics and do an analysis of your data security
The “Integrity and Confidentiality” principle in the GDPR requires that personal data be protected from loss, damage and destruction. It is therefore essential to make sure that the data is backed up, so you can recover it. This may seem to be the easiest part in the overall GDPR conversation, but this task should not be underestimated. If companies do their Databerg analysis right, they are likely to find that their data is fragmented across different storage areas. They will find personal data stored on virtualised systems, cloud infrastructure and other systems and locations from mobile devices to shared cloud storage services. There are these best practices that will help to get a backup and resilience strategy in place that will cover these fragmented infrastructures:
– Establish a backup and recovery strategy that integrates physical, virtual and hybrid cloud scenarios under one umbrella to make it easy to manage
– Get insights into all existing cloud services and the data stored there and make sure you educate your employees about the right usage
– Establish a failover concept that will keep not only the access to the cloud services highly available, but also guarantee the resilience of the services themselves.
Q: What effect will EU GDPR have on an organisation’s IT storage strategy?
Information governance is a fast-growing priority for most organisations around the globe. As the countdown to GDPR compliance continues, organisations need a robust information management system in place to help ensure that business leaders know what information they have, where it is, how it can be accessed and who is responsible for it. By being prepared for GDPR, benefits could be seen in agility and innovation of IT storage systems.