Finding Data So You Can Comply with GDPR
GDPR, or General Data Protection Regulation, is the acronym on everybody’s lips these days. The legislation is complex, and it can be difficult to unpack just exactly what it means for your organization.
With GDPR privacy laws increasing around the world, organizations are now expected to locate the personal information they possess and manage it in ways that simply weren’t anticipated at the time the information was collected. Long story - short: organizations need new tools to find this scattered information so they can comply with GDPR.
Expectations for Privacy Compliance Are Rising
At the forefront of these laws is the European Union’s new GDPR, which went into effect May 25, 2018. Although many of the basic principles of GDPR are not new in EU privacy law, GDPR reflects a major elevation in expectations for privacy compliance. It also puts in play the possibility of massive fines for non-compliance – up to 4 percent of global revenue for a multinational corporation.
What’s more, GDPR imposes an important new trigger for investigations. It requires organizations that suffer a data security breach to give notice to legal authorities and affected individuals in Europe. This is largely new within the EU.
That may not sound like a major issue. But recent experiences in the US suggest that the delivery of notice in the EU will cause a chain reaction of investigations. When an organization announces it has experienced a breach, numerous authorities across the EU will focus their regulatory attention on that organization. Further, collective actions in court (like class action lawsuits in the US) will likely arise against the organization. These diverse investigations may also expand in scope to cover more than just the failure of security that caused the breach. They could probe invasively into all aspects of the organization’s compliance with GDPR. And that is a big deal!
GDPR requires an organization to document the personal data it possesses, and document what it is doing with the data. It also requires the organization to explain to an individual data subject what data the organization possesses about the individual. And it requires the organization to comply with requests by the individual to restrict the use of data or erase it.
These requirements pose real challenges for most organization’s data infrastructure. Many organizations have collected data for many different purposes over the years. The data is scattered in different silos and platforms. And often, the data is completely undocumented. (Looking to streamline your data? Maybe it's time to perform a data audit? Download our Data Audit Worksheet today.)
Find that data
It’s clear under GDPR - you have to be able to find personal data. But without advanced tools, the search for personal data can be very labor intensive and costly. A powerful search tool can speed things up by using pre-configured data sets, such as a data set for passport numbers or insurance account numbers.
Audit Trails: Persuasive Evidence of Compliance
After you’ve located your data, you can undertake the process of creating new policies and documentation about the data. Modern tools can be used to automatically apply those policies and documentation to particular units of data. One possible approach is to use a data tagging function to make that data discoverable and manageable.
Audit trails show what searches were executed when they were executed and which data repositories were searched. These trails are persuasive evidence to a court or regulatory authority that you are applying the required effort to find data. The audit trails allow supervisors to review search efforts and identify deficiencies so they can be addressed.
GDPR Spearheads Tightening of Privacy Laws Around the Globe
GDPR broadly applies to any company anywhere that is selling products or services into the EU, even if they don’t have a physical presence in the EU. GDPR’s breadth of scope has surprised organizations around the world that never gave a second thought to comply with privacy law in Europe.
GDPR is already having an influence beyond the EU. The EU has long been recognized as a leader in privacy law, and countries outside the EU – notably those in Asia-Pacific and Latin America -- have adopted laws inspired by EU privacy law. It’s reasonable to anticipate that GDPR will inspire laws and regulatory expectations around the globe.
Perfect compliance with privacy laws like GDPR may be close to impossible. But authorities will be more tolerant of organizations that are making efforts to achieve and maintain compliance. Evidence of that diligent effort can be demonstrated through responsible use modern of search tools like those offered by NetGovern.
Benjamin Wright is a practicing attorney based in Dallas, Texas, and an instructor at the SANS Institute teaching a 5-day course titled “Law of Data Security and Investigations.” http://benjaminwright.us