While many companies are still working hard towards the impending GDPR deadline - trying to grasp how to achieve compliance for their business - they could be forgetting one vital component that could unravel their efforts: their existing technology for data leak prevention (DLP). We examine how these disparate entities are actually joined at the hip. They are both essential, need a full view of your organisation and can potentially be overwhelming. Most importantly, the one glaring difference between these two titans is that while GDPR is designed to protect privacy, DLP is, by its very nature, designed to evade it.
Comparisons, complexity & consistency
You may think it’s strange to draw a comparison between these two disparate entities - but there’s a lot to learn by doing so. DLP has become an essential tool to detect and manage information leakage. Implementing DLP to gain visibility against the loss of intellectual property (IP) bears many similarities to GDPR compliance management. Let’s examine both.
GDPR controls cannot be implemented without understanding what personal data exists, and where it is in the organisation – and GDPR programmes usually include data discovery processes in order to get this clarity. DLP technologies provide a technical aide to do this, assisting the organisation to prioritise activities. It’s simply too large an effort to address in one piece and technology is needed to more accurately and quickly respond in the event of a breach.
Equally, DLP initiatives can be overwhelming. Organisations seldom expect the volume of breaches that are identified by the technology and can grapple to respond. A first step is to prioritise activities and, similar to GDPR, these can be based upon a clear understanding of the confidentiality and location of information, as well as the use of the information.
Both initiatives benefit from an understanding of the information location and sensitivity; both initiatives use this information to both prioritise and determine how best to react to a breach; and DLP itself is a tool that assists to acquire this detail.
Organisational integration & the DIY trap
As data and new IP is constantly being created, it is essential to ensure it is protected from internal, external, accidental and malicious threats. These risks traverse the entire organisation and, more importantly, require the efforts of all stakeholders to remediate. This is true for both GDPR and DLP management and this is generally underestimated by those implementing the technology.
Getting DLP right needs specific skills and expertise – similar to GDPR. This complexity, explored in our previous blog, the 11 most common GDPR mistakes, is seldom fully understood by organisations when implementing solutions for the first time. While these lessons can be taken into account with many other information security/privacy projects, there is seldom sufficient in-house experience in these specific cases for a comprehensive solution to be designed.
They both require layers of cross-functional understanding, to not only approach them correctly, but to implement them both legally and efficiently. If allocated to just the IT department, or just the legal team, both GDPR and DLP will simply fail to meet the brief. In both cases, the organisation will benefit through access to specialised skills and should utilise external expertise when planning the implementation.
Another major similarity is that both are always on-going - there is no ‘end destination’ -with constantly moving targets as data is endlessly being created and shared. Furthermore, GDPR compliance is only assured at any given moment in time. If you declare compliance on May 25, 2018, it unfortunately does not mean you can breathe a sigh of relief and move your focus onto another pressing project. If you do, do this at your peril, as it could result in a data breach, a legal breach, a resulting fine, losing valuable IP, reputational damage - the list goes on. We’re not here to scaremonger, these are simply the cold, hard, facts.
The letter and spirit of the law
Now let’s re-focus and look at the glaring difference between the two. This is the classic juxtaposition of the letter and the spirit of the law. While being GDPR-compliant protects privacy, by its very nature you need visibility for DLP, effectively designed to detect privacy breaches, but – if implemented without consideration for privacy regulations – this implicitly erodes this right to privacy.
DLP enables organisations to detect data leakages, and thereby enhance confidentiality management. But in so doing, it enables organisations to monitor communications, potentially violating individual right to privacy. The tension is resolved by ensuring that DLP implementations consider regulations (including GDPR) pertaining to privacy, monitoring of communications and the utilisation of technologies which allow for the monitoring of communications.
Organisations clamouring to get ready for GDPR, while not understanding the potential clash of these two titans, could see these two worlds collide to cause the perfect storm. The long and short of it is, without putting in place the pre-determined processes, you could effectively be breaking the law.
If you do not already have a plan to be able to demonstrate that formal procedures are in place to ensure access is only granted to those who truly require it - start now! But don’t fall into the ‘set and forget’ trap. As people come, go and change roles, their permissions need to change with them.
The balance between visibility, detection, protection and compliance is a fine one. Without the right measures, the tipping point could be stacked against you.
- DLP is a valuable aide to identify the location of personal data, and to detect breaches. Accordingly, it should be considered as a valuable tool during GDPR implementations.
- Recognise that DLP must be implemented within the Regulatory context. It is not a ‘plug-and-play’ technology that can be used without considering its relationship to privacy management.
- Similar to GDPR, DLP has implications for business operations across the organisation. It should not be under-resourced, or isolated within IT.
- This is a journey that benefits through insight from specialists; consider consulting with those that have travelled the journey already.
Anthony Olivier, Head of Consulting, Performanta
Image Credit: Docstockmedia / Shutterstock