One of the key criteria of the new General Data Protection Regulation legislation coming in May 2018 is the need to keep data secure (the clue is in the name). While organisations will need to put in place a robust data breach response plan in the eventuality that data is lost, it is also worth keeping in mind that prevention is always better than the cure.
Ensuring your IT infrastructure is capable of protecting all the data it holds and processes across all devices, departments and software with a Data Loss Prevention (DLP) system, and being able to prove it, is essential to compliance. While this may be easier said than done, there are practical steps you can take to ensure your organisation is protected from all types of data loss.
What constitutes data loss?
Data loss can happen in two ways. One is the loss of data due to physical actions (unintentional or otherwise) such as:
- Sharing sensitive files or personal data across unprotected email services, via memory sticks, etc
- Malware or ransomware attacks
- Insecure practices of business partners
- Holding sensitive data on remote devices
- Processing sensitive data on an unsecure network
Your organisation may have a great IT security set-up in place in the office, but if a staff member opens a suspicious email, or decides to log on to their laptop while using the WiFi in their local McDonald’s, for example, or just happens to leave that laptop behind, you could be facing down the barrel of a data breach.
We are all human, and humans make mistakes, which is why you need to put security measures in place across your entire IT system and devices in order to ensure it is not possible for those mistakes to lead to a data breach.
Some of the ways you can implement the level of data protection you need include:
- Encryption – this means all devices and hardware, not just files
- Pseudonymisation or tokenisation – rendering data so that it can’t directly identify personal data and storing it securely elsewhere
- Access controls – ensuring only those authorised have access to data
- Alerts – notifying the Data Controller and other relevant stakeholders that sensitive data has been accessed and shared
- Firewalls – protecting the flow of data to and from the organisation to and from the internet
Plugging the Leaks
The second, and more complex type of data loss is data leakage. This does not mean the inadvertent or intentional sharing of sensitive data with a third party, but the process whereby data falls through the cracks as it flows through the organisation’s critical systems, and often, on to less secure systems or devices.
In order to understand what data you have and how it flows through the organisation, you first need to undertake a data mapping process, and then assess how you can protect it as it moves from system to system, device to device.
You then need to categorise and label that sensitive data with the level of security and confidentiality required, and perform a security audit to identify the functions that enable data to flow out of your systems. Then, you need to use business and regulatory rules to enable your Data Controller to control what data users can access, how they can access it, with whom they can share it, and on what devices this can be done.
The DLP and GDPR Conundrum
In the interests of ‘better safe than sorry’, you may be tempted to rule with an iron fist when it comes to data protection by implementing a series of preventative measures across your IT system that track user access and activity.
Internal threats from disgruntled users, careless third-party contractors and partners, or stolen credentials are obvious ways in which data loss can occur. These should of course be detected as quickly as possible, and one way in which this can be done is through the implementation of behavioural analytics, which combines rules-based and machine learning-based analysis.
However, this can present a bit of a conundrum, as the regulations you are trying to uphold here may be in danger of being breached by your very activity. Remember, under GDPR, your staff also have their own personal data protection rights, so you need to carefully consider just what you monitor, and how you legitimise your actions, particularly if you allow employees to use their own device for work purposes, or allow them to use their work device for personal activities.
Using your company privacy policy to inform staff that they should have no expectation of privacy in this regard will not wash with GDPR, and you will need to provide transparency as regards the purpose and extent of monitoring.
When this is taken into consideration, it’s pretty clear that while a DLP system should, to a point, be implemented, it is probably a safer tactic to start on the path towards compliance by educating your staff regarding GDPR requirements and the role they will play in keeping your organisation’s data secure.
Help Is at Hand
This is where a certified GDPR expert with the IT support you need can step in and help.
It’s true that there is a lot to take in when it comes to this new legislation, but the right GDPR consultant can assess what your entire business needs to do to be compliant, and how best to do it, with practical, easy to understand steps.
They can provide the training and education your staff needs regarding the security chain and policies, best practices, GDPR awareness and accountability, while also performing gap analysis, data protection impact assessments, and audit advice, and advising on the following:
- Back-up and restoring of data
- Separation and compartmentalisation of data
- Internal/external firewalls
- Correct use of ACLs
- Deployment of IDS or IPS
As certified GDPR consultants, pebble.it can help your entire organisation understand what you need to do to be compliant, and advise on the processes you need to put in place to implement a robust DLP system.
Discover the steps that will put you on the road towards compliance and how we can help you get there by downloading our GDPR-readiness checklist:
