The need for information governance and data classification to comply with the GDPR

Approaching the new General Data Protection Regulation (GDPR), effective as of May 2018, companies based in Europe or that have personal data of people residing in Europe are struggling to find their most valuable assets in the organization. : your confidential data.

The new regulation requires organizations to prevent any personally identifiable information (PII) data breach and delete any data if requested by anyone. After deleting all PII data, companies will need to prove that that person and authorities have been completely removed.

Most companies today understand their obligation to demonstrate responsibility and compliance and therefore began preparing for the new regulation.

There is so much information about ways to protect your confidential data, so much so that one can become overwhelmed and start pointing in different directions, hoping to hit the mark with precision. If you plan ahead for your data governance, you can still meet the deadline and avoid penalties.

Some organizations, primarily banks, insurance companies, and manufacturers, own an enormous amount of data as they are producing data at an accelerated rate, changing, storing, and sharing files, thus creating terabytes and even petabytes of data. The difficulty for these types of companies is finding their sensitive data in millions of files, in structured and unstructured data, which unfortunately in most cases is an impossible mission to carry out.

The following personally identifiable data is classified as PII according to the definition used by the National Institute of Standards and Technology (NIST):

o Full name

o Home address

o Email address

o National identification number

o Passport number

o IP address (when bound, but not PII by itself in the US)

o Vehicle registration plate number

o Driver’s license number

o Face, fingerprints or handwriting

o Credit card numbers

o Digital identity

o Date of birth

o Place of birth

o Genetic information

o Telephone number

o Login name, screen name, nickname or identifier

Most organizations that hold PII from European citizens are required to detect and protect against any PII data breach and remove PII (often referred to as the right to be forgotten) from company data. The Official Journal of the European Union: Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 has declared:

“Supervisory authorities should monitor the application of the provisions in accordance with this Regulation and contribute to their consistent application throughout the Union, in order to protect natural persons in relation to the processing of their personal data and facilitate the free circulation of personal data in the internal market “.

To allow companies that hold PII from European citizens to facilitate a free flow of PII within the European market, they need to be able to identify their data and categorize it according to the sensitivity level of their organizational policy.

They define the data flow and challenges of the markets as follows:

“Rapid technological advances and globalization have posed new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology enables both private companies and public authorities to make use of of personal data on an unprecedented scale in conducting business. Individuals are increasingly making personal information available to the public and to everyone. Technology has transformed both the economy and social life, and it should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organizations, while ensuring a high level of protection of personal data. “

Phase 1: data discovery

Therefore, the first step that needs to be taken is to create a data lineage that will help understand where your PII data is dumped in the organization and help decision makers to spot specific types of data. The EU recommends getting an automated technology that can handle large amounts of data, scanning it automatically. No matter how big your team is, this is not a project that can be handled manually by tackling millions of different types of hidden files in various areas: cloud, local storages and desktops.

The main concern for these types of organizations is that if they cannot prevent data breaches, they will not comply with the new EU GDPR regulation and may face heavy penalties.

They need to name specific employees who will be responsible for the whole process, such as a Data Protection Officer (DPO) who primarily handles technology solutions, a Director of Information Governance (CIGO), usually an attorney who is responsible for compliance, and / or a Compliance Risk Officer (CRO). This person needs to be able to control the entire process from one end to the other, and to be able to provide management and authorities with full transparency.

“The controller should pay special attention to the nature of the personal data, the purpose and duration of the proposed treatment operation or operations, as well as the situation in the country of origin, the third country and the country of final destination. , and should provide adequate safeguards to protect the fundamental rights and freedoms of natural persons with respect to the processing of their personal data. “

PII data can be found in all types of files, not only PDF and text documents, but can also be found in image documents, for example a scanned check, a CAD / CAM file that can contain the IP of a product, a sketch, code or confidential binary file, etc. ». Common technologies today can extract data from files, making the data hidden in text easy to find, but the rest of the files that in some organizations, such as manufacturing, may hold most of the sensitive data in image files. These types of files cannot be detected accurately, and without the proper technology capable of detecting PII data in file formats other than text, this important information can easily be lost and cause substantial damage to your organization.

Phase 2: data categorization

This stage consists of behind-the-scenes data mining actions, created by an automated system. The DPO / controller or information security decision maker must decide whether to track certain data, block it, or send alerts of a data breach. To perform these actions, you need to view your data in separate categories.

Structured and unstructured data categorization requires complete data identification while maintaining scalability – effectively scanning the entire database without “boiling the ocean.”

The DPO must also maintain the visibility of the data in multiple sources and quickly present all the files related to a certain person according to specific entities such as: name, date of birth, credit card number, social security number, telephone, email address, etc.

In the event of a data breach, the RPD will report directly to the highest level of management of the controller or processor, or to the person responsible for information security, who will be responsible for reporting this breach to the relevant authorities.

Article 33 of the EU GDPR requires that this violation be reported to the authorities within 72 hours.

Once the DPO identifies the data, the next step should be to tag / tag the files according to the sensitivity level defined by the organization.

As part of complying with regulatory compliance, the organization’s files must be accurately labeled so that these files can be traced on premises and even when shared outside the organization.

Phase 3 – Knowledge

Once the data is tagged, it can map personal information across networks and systems, both structured and unstructured, and can be easily traced, allowing organizations to protect their confidential data and allow their end users to use and share files of secure way, thus improving data loss. prevention.

Another aspect that must be taken into account is the protection of confidential information from insider threats: employees trying to steal confidential data such as credit cards, contact lists, etc. or manipulate the data to obtain some benefit. These types of actions are difficult to detect in time without automatic monitoring.

These time-consuming tasks apply to most organizations, prompting them to seek efficient ways to gain insights from their business data so that they can inform their decisions.

The ability to analyze intrinsic data patterns helps the organization gain a better view of its business data and pinpoint specific threats.

The integration of an encryption technology allows the controller to track and monitor data effectively, and by implementing an internal system of physical segregation, it can create a geographic data fence through definitions of segregation of personal data, geographic crossings / domains and reports on the violation of sharing once the rule is broken. . With this combination of technologies, the controller can enable employees to send messages securely across the organization, between the right departments, and outside the organization without being overly locked out.

Phase 4 – Artificial Intelligence (AI)

After data is scanned, tagged, and tracked, a higher value for the organization is the ability to automatically detect atypical behavior of sensitive data and activate protective measures to prevent these events from becoming a data breach incident. This advanced technology is known as “Artificial Intelligence” (AI). Here, the AI ​​function generally consists of a strong pattern recognition component and a learning mechanism to allow the machine to make these decisions or at least recommend the preferred course of action to the data protection officer. This intelligence is measured by your ability to become wiser from each scan and user input or data mapping changes. Eventually, the AI ​​function builds the organizations digital footprint that becomes the essential layer between raw data and business flows around data protection, compliance, and data management.

Leave a Reply

Your email address will not be published. Required fields are marked *