In the digital age, data privacy has become a basic human right. With the clock counting down to the deadline for compliance with the EU’s General Data Protection Regulation (GDPR), businesses should be putting the final processes in place to ensure they can provide the best, most efficient protection of customers’ most valuable assets – their data and privacy.
Regulators have given businesses enough time to get their house in order. They will now be itching to make an example of companies that have failed to show due diligence. And the regulator now has teeth. Following the CEX data breach, where the details of two million customers were compromised, the company could have faced fines in excess of more than £5.5 million under the GDPR regime.
What do businesses need to know?
There is a lot of fear, uncertainty and doubt around GDPR. For example, knowing where to start and who is responsible is difficult as there are so many parties involved - from IT and legal to compliance and risk. However, it’s important to remember that data protection is everyone's responsibility, right down to the office floor.
The challenge with GDPR is knowing where to start. At a recent industry event, chief data officers, heads of general counsel, heads of risk, CIOs and compliance officers were asked what their main hurdles were to achieving compliance with GDPR. The most common answer was the volume of work required in order to be compliant. This was followed up by a lack of awareness and understanding of the legislation itself. Other problems listed included lack of resources, overall complexity, and the need for true collaboration.
While there is a mountain of best practice and advice available, the key thing to remember is that GDPR requires companies to demonstrate the steps they have taken to protect personal information. This is in itself is a daunting task for many.
Run faster, safely
In order to move fast and survive, global businesses need rapid and secure access to data throughout their organisation. Typically, when we think of data protection we associate it with a company’s critical systems and the live data that sits within them. Yet the reality now is that 90% of an organisation’s data sits in non-production systems like development and test environments, compliance and financial reporting systems, analytics and big data tools and archive/backup tools that are at the heart of day-to-day operations. That makes the task bigger and more complicated than just limiting access to live data.
What’s needed is a new approach that brings together the data operators responsible for managing, securing and distributing the data with the data consumers that are using it to run the business. One option is to adopt a ‘DataOps’ programme. Put simply, DataOps represents a desire to bring together those that operate data and those who consume data, in order to make business run faster and more securely and comply with regulations. It focuses on aligning people, processes, and technology to enable the rapid, automated, and secure management of data. Its goal is to eliminate ‘data friction’ – the functional gap between the huge volume of information that we generate and our ability to use it securely and effectively.
What DataOps tools can ensure your business is ready in time?
Part of the wider DataOps picture is the use of encryption for security purposes. It’s important to note that encryption alone does not satisfy GDPR requirements. Encryption is certainly valuable for data that is in transit, but in order to make encrypted data useful, it must be decrypted. This exposes the sensitive data once again so that anyone can access it.
Dynamic data platforms compliment encryption by securing data whist still making it useable. They begin by creating a comprehensive library of data sources that enables users to pinpoint the exact location of sensitive data across an organisation’s entire IT estate, whether on-premise or in the cloud. What’s more, they can identify which data values are subject to GDPR, and adapt these to the business’ unique definitions of what is considered personal, confidential information to meet the security requirements that businesses are expected to satisfy.
For example, Article 30 of the GDPR sets out that businesses must implement “appropriate” technical and organisational measures to secure personal data, taking account of the risk presented to individuals if the security of that data were to be breached. In this regard, the GDPR expressly says that businesses should consider implementing “as appropriate … the pseudonymisation and encryption of personal data.” While the law stops short of telling businesses they must implement pseudonymisation, the express reference to it in the security provisions of the GDPR is highly significant, as regulators will take its implementation into consideration when considering compliance.
Ahead of the game with pseudonymisation
Identifying personal data is only half the challenge. Protecting it comes next and a big task for companies is masking data for all live and non-production systems. The GDPR itself contains an express legal definition of this process, called ‘pseudonymisation’, describing it as: “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, if such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person.”
‘Pseudonymisation’ is the use of code names in place of sensitive data. Internal systems know that Person X is represented by a code name, but external actors would be unable to trace the data to its owner. It is achieved through the use of data masking tools. Most importantly, pseudonymised data is useful for testing software, reporting or analytics, as the data itself is not changed. Its pseudonymised format ensures that if information should be lost or stolen, it won’t leave a business exposed to GDPR sanctions as masked data contains no identifiable personal information.
Even with this in place, organisations still need to deliver copies of protected data to different business functions, as well as update them as production data changes. In fact, as much as 90% of an organisation’s total data is made up of copies of copies of copies. If you can successfully mask all your secondary data, then that in essence removes it from GDPR compliance. Modern dynamic data platforms virtualise data once masked, and then deliver multiple copies with no cost of storage or time. This means you can be GDPR compliant without inhibiting speed or agility, providing an opportunity for the business to go faster and reduce costs. All at the same time as complying with GDPR.
Coming out on top
At the end of the day, the major push for understanding these requirements comes down to the potential penalties. The impact of a breach is extreme. Most companies are very aware of the threat of fines of that could hit a 4% ceiling of worldwide income (measured by the prior year) or €20m. The implications also go further. Not only must organisations ensure they protect individuals’ data, but they must institute organisational change across employees to truly understand what is covered and how the employees in their day-to-day operations can act in data subjects’ best interests.
Yes, GDPR may mean new levels of compliance. But at the same time, it also provides the opportunity to drive innovation and excellence in an increasingly data-led world. DataOps means that not only will enterprises be able to make more sense of their data, but it will deliver more value. However, it simply can’t be at the expense of consumer privacy. Businesses must embrace DataOps and act fast to ensure these processes are in place. In a closely regulated, data driven world, how companies handle security and privacy issues will define the winners and losers.
Jes Breslaw, Director of Strategy for EMEA at Delphix
Image Credit: Wright Studio / Shutterstock