The GDPR was the first comprehensive privacy compliance law to be introduced. The need to comply with GDPR, among other regulations like the CCPA and PDPA, is now essential to organizations worldwide. Data protection has become an increasingly important business issue and affects organizations of all sizes, cutting across all industries. Knowing where sensitive data is and protecting it is now imperative to preserve individual privacy rights.
However, there is a significant gap in the degree of automation and infrastructure required to be compliant with regulations. This gap is the reason why several companies failed to meet the GDPR compliance standards in time. For example, large organizations such as British Airways were slammed with fines as high as $230 million owing to non-compliance.
On the other hand, companies that did meet the guidelines in time still face issues -according to Tanium, 67% of the organizations fear they won't be able to sustain compliance. That is the crux of the problem with compliance - data is rarely stationary. Without a reliable sense of where, what and how much data is traveling, companies are susceptible to privacy infringements or, at worst, a data breach. Protecting your data - keeping track of it, where it resides, and where it migrates to, is what will keep companies compliant. *
To protect your data, though, people and processes alone will not suffice. Data protection is a problem that was primarily caused by technology (since it is technology that has made information so freely available and to communicate at will), and technology is required to solve it.
Yet, there is still a lack of understanding of how technology can help in the fight to protect sensitive data and how significant a role it must play. For example, tech giants, including Google, Amazon, and Apple, have been publicly accused of breaching GDPR after failing to respond to 10 private citizens' requests on their basic information.
Companies must invest in technology that can keep up with the basic guidelines of different data protection regulations, such as the Right to Access (as in the example above) or the Right to be Forgotten.
But most importantly, these solutions should also be capable of keeping sensitive data secure, no matter where it is. That means keeping track of where your data is traveling and being mindful of the information your company aggregates over time.
So, technology is needed to fulfill the two aspects covered by privacy compliance laws – the capability to respond to Data Subject Access Rights (DSARs) and building/maintaining a stable Data Security posture.
Hence, apart from adhering to the fundamental rights as required by regulations, you also need to tackle issues related to data security in general. Unfortunately, most organizations tend to miss out on the data security aspect of compliance.
We have already discussed some of the common data security issues - data is rarely stationary. It travels, and it accumulates. Let's take this one by one.
- Data transfer
Data is the lifeblood of businesses in today's global economy. It is a part of a business strategy to ensure that information is shared freely to offshore locations.
Cross-border data security involves the safe movement of electronic and personal data around the world. This movement of data often proves to be a challenge for enterprises due to regulations, data residency requirements, and enterprise-specific practices that restrict the transfer of data across borders. You can read more about these challenges in our blog on cross border data security.
To ensure an effective cross-border data security solution, you need to cover these key points:
- Define and find where and who has access to sensitive data across the enterprise, with ease and efficiency
- Maintain referential integrity of realistic yet masked data for cross-border application development and testing
- A flexible, scalable and robust solution that provides location-based masking in production support and operations
The response to the points mentioned above lies in the implementation of a data security technology platform that enables:
- Discovery of personal data based on classification and who (user and program) has access to it
- Elimination of personal data exposure in the non-production environment through Static Data Masking
- Minimization of data exposure in production through Dynamic Data Masking
The MENTIS modules for Sensitive Data Discovery, Static Data Masking, and Dynamic Data Masking are robust and ensure pin-pointed discovery with minimum false positives, include flexible masking approaches, and maintain referential integrity across applications and databases. Read more about these solutions in our blog on cross border data security.
- Data accumulation
Apart from keeping track of your data, there is also the problem of data accumulation. A regular day in an organization includes countless emails, instant messages, and documents that may have been saved long after their useful lifespan. It just doesn't stop at that; there are thousands of ZIP files, log files, archived web content, partially developed and then abandoned applications, code snippets… Organizations often hoard unmeasured and unknown amounts of data long after their business benefit.
Gartner defines this as Dark Data - the information assets that organizations collect, process, and store during regular business activities, but generally fail to use for other purposes.
The worrying fact about dark data is that it contains vast amounts of sensitive information, and most organizations fail to account for this in their security strategy. Hence the risk of exposure also increases along with the increase in the dark data. According to studies conducted by the International Data Group, dark data is growing at a rate of 62% per year. By 2022, they say, 93% of all data will be dark data.
(For more information on dark data and the technology needed to combat it, read our blog Security Perils of Dark Data.)
The popular approach used by companies is archival or deletion. However, it is now being understood that archival is not an ideal solution due to it being a "risk-transfer" than a "risk mitigation" solution.
As a result, many organizations are resorting to deletion of data. However, it should be noted that dark data has a lot of analytical value and can be often used to generate actionable insights.
MENTIS approaches the problem of inactive sensitive data and/or dark data through its industry first solution called sensitive data retirement. MENTIS' solution tokenizes the sensitive information while retaining the transactional part of the it. This results in the dataset being securely de-identified, while also retaining the usefulness of the data within.
As we've seen, a crucial goal for any organization is to be compliant with the respective data security regulation to which it is pertinent. Of course, as challenging as this is, a greater challenge is to sustain it.
Data is the lifeblood of businesses, and for a company to achieve its objectives, data cannot be stationary.
Thus, companies must understand that privacy compliance is not a one-time goal - it requires continuous business commitment as data travels and accumulates. *