The new General Data Protection Regulation (GDPR) is going to be a focus for many organisations this year as they work out how to identify and protect the Personally Identifiable Information (PII) that they hold. One of the more difficult challenges will be securing information held on laptops and other mobile devices, where it is harder to track and is at a greater risk of being compromised because it is not behind the company firewall.
However, I believe that there is no need to panic. Those who take a strategic approach to data protection and adhere to good overall cyber security practices are well on the way to achieving compliance with the new regulations. This can then be supplemented by the use of specific tools to ensure that PII on mobile devices is protected.
Organisations first need to understand what type of data they have and where it is stored. There are two broad approaches – ‘big bucket’ or fine grain – and the former will be sufficient for most organisations. The GDPR applies to PII i.e. any data that could potentially identify a specific individual, so before undertaking any work first consider whether your organisation actually holds this type of information. For many organisations, the answer may be no apart from payroll and HR records, which should already be held securely.
If you do hold PII, you need to audit how and where that data is located. Our analyses across a wide range of organisations across multiple sectors suggest that 18 – 20 per cent of data is typically held in specific applications such as databases, CRM systems and internally developed applications. The Pareto principle applies again! It is relatively straightforward to identify these applications and take appropriate steps to protect the data. This means identifying how many times a database, for example, has been copied and where those copies exist. Commonly used internal search tools can help identify these. Any copies residing on mobile devices should be easy to identify, and if not specifically needed to be on that device can be moved to secure internal storage or deleted.
Managing unstructured and semi-structured data
The harder work begins with the remaining 80 per cent of your data. Some of this will be what we call semi-structured data, held in applications such as email, or organised using SharePoint or similar file and content management applications. The rest will be unstructured data, normally held in file systems. This is where the most attention needs to be paid.
At this point, step back and ask whether you actually need to protect this information. In Fordway, for example, a large part of this information comprises proposals, reports and technical documentation sent to customers, and internal quality, process and administration documentation, where the most applicable PII that is included will be the name and job title of the recipient. Whilst these documents are commercially sensitive, our advice is that as there is minimal PII, and the information contained is publicly available through the like of LinkedIn, these are not a significant GDPR risk and normal good security practice will be suitable. Emails sent to customers also contain only these items of PII, and with a reasonably sophisticated email application such as Exchange searches can be run to identify anything that needs protection.
Once you have identified where your GDPR risks are, the next step is to segment the data and store it according to business value and sensitivity, using GDPR compliance as one of the factors for the segmentation. We recommend implementing active data management using, for example, Data Loss Prevention or digital rights management with active search and e-discovery in order to index stored data and identify where PII may reside. If data is currently distributed across multiple servers and locations, ideally you need to consolidate it so that it can easily be indexed. Druva, for example, estimates that around 40 per cent of company data never reaches the central IT platforms. There are a number of tools such as Commvault Data Platform Simpana and Druva inSync which enable indexing for all backed up data.
Active data management
Once you know the location of your PII, you can put the appropriate policies and protections in place. Working towards recognised standards such as certification from the government backed Cyber Essentials scheme can help organisations demonstrate that they have implemented proper controls on their data.
Most importantly, active data management needs to be accompanied by a data protection policy that sets out clearly who can open, read and download specific types of information, and everyone in the organisation needs to be trained to follow this policy. Once all users have been informed, the policy should be rigorously enforced. It is worth remembering that the value of data may not be in the individual items of data themselves but in making the links between them in order to gain insights, so the data protection policy should also address how to manage and secure these links.
Organisations then need to consider how to handle data held on mobile devices, from laptops to smart phones. This requires a security policy which is enforceable, realistic, unambiguous, acceptable to users and avoids violating personal privacy laws. There are tools which can assist with data identification and protection but the key is to minimise the amount of data transferred to or held on the device. This can be done in several ways: virtualising applications and streaming them to the device; allowing access but implementing a policy to prevent users downloading sensitive organisational data; or mandating Mobile Device Management (MDM) on all mobile devices to remove corporate data if the device is lost or stolen, using encryption to secure sensitive data.
If an organisation believes that PII already exists on corporate mobile devices, software tools such as Druva inSync can scan files and data as part of the device’s backup and recovery process to identify potential PII and other sensitive data. Once located, the data can then be protected or deleted in line with company policy. This capability is available as a service from organisations such as Fordway, and in addition to backup and restoration offers compliance and legal hold with scalable, encrypted backup storage.
Overall I believe that GDPR is a business issue, not a technology problem. Technology can help by providing useful search and archive tools but the key to the problem is a clearly defined and well understood GDPR adherence policy, with appropriate business processes to ensure compliance and continual good cyber security discipline.
Richard Blanford, Founder, Fordway
Image source: Shutterstock/Wright Studio