Under the GDPR, organizations are required to institute measures that enable them to closely monitor the movement of personal data throughout its life-cycle. They must establish a profound understanding about how and why sensitive data is being processed and stored. It would be inadmissible for companies to not know where their valuable physical assets are located. Yet, despite being referred to as the new oil, data is not treated with the same respect.
Organizations are now required to track the flow of data between departments, subsidiaries, contractors and users. As more companies embrace the Bring Your Own Device (BYOD) trend, their visibility – with regards to the flow of data – is impaired. Below are some practical guidelines which can assist companies in ensuring that they can identify the location of their data both at rest and in transit.
Know What Data You Have and What People Are Doing with It
Make a comprehensive index of the data you hold. For every piece of personal data you store, you will need to explicitly state the nature of the data, who has access to it, where it is located, when and why it was accumulated. You may find it helpful to take advantage of an automated data discovery tool which can locate, classify and report on a wide range of data types.
In order to be able to accurately monitor the flow of your critical assets once they have been inventoried, you will need to take advantage of the latest real-time File Server auditing tools such as LepideAuditor which can detect, alert and respond to suspicious file and folder activity. LepideAuditor also provides an intuitive console which presents an overview of your data, including any important information about who, what, where and when important changes are made to this data.
Discover and Classify Sensitive Data
Article 30 of the GDPR requires that organisations keep a “description of the categories of data subjects and of the categories of personal data”. Data classification makes it easier for organisations to assess the risk and impact of a certain types of processing, and facilitates more efficient business operations, thus reducing the resources required to secure the data. A typical classification scheme would include public, internal and restricted categories. As mentioned above, data discovery and classification tools can be used to automate the classification process.
Conduct a Data Protection Impact Assessment (DPIA) and Take Action
A DPIA is required to assess the privacy risks associated with a particular type of data processing and can be useful when new technologies are introduced. Under the GDPR, a failure to carry out a DPIAs could result in fines of up to 2% of annual turnover or €10 million – whichever is greater.
If your DPIA identifies large amounts of data collected over long periods of time (as is the case in many organizations), sift through the data to assess whether is it still required for business operations. Deleting unnecessary data makes it a lot easier to allocate resources more effectively and enforce least privilege access.
Bring Your Own Device (BYOD)
Companies will need to change their habits in order to accommodate the growing BYOD trend. Employees who download unapproved files or third-party applications could be putting the company’s data at risk. Companies will need to enforce policies for devices connecting to their network, use whitelisting/blacklisting, data encryption, remote wiping software, and so on.
Establish a Sustainable Practice
Inventories, data classification, DPIAs and the adoption of a sophisticated change auditing solution will put you in a good position to secure your critical assets. However, data security is an ongoing process. Your security policy must be updated at least once a year to reflect any changes made to your organisation’s infrastructure.