The Necessity of Information Governance and Data Classification for Complying With the GDPR
Approaching the new General Data Protection Regulation (GDPR), effective from May 2018, companies based in Europe or having personal data of people residing in Europe, are struggling to find their most valuable assets in the organization – their sensitive data.
The new regulation requires organizations to prevent any data breach of personally identifiable information (PII) and to delete any data if some individual requests to do so. After removing all PII data, the companies will need to prove that it has been entirely removed to that person and to the authorities.
Most companies today understand their obligation to demonstrate accountability and compliance, and therefore started preparing for the new regulation.
There is so much information out there about ways to protect your sensitive data, so much that one can be overwhelmed and start pointing into different directions, hoping to accurately strike the target. If you plan your data governance ahead, you can still reach the deadline and avoid penalties.
Some organizations, mostly banks, insurance companies and manufacturers possess an enormous amount of data, as they are producing data at an accelerated pace, by changing, saving and sharing files, thus creating terabytes and even petabytes of data. The difficulty for these type of firms is finding their sensitive data in millions of files, in structured and unstructured data, which is unfortunately in most cases, an impossible mission to do.
The following personal identification data, is classified as PII under the definition used by the National Institute of Standards and Technology (NIST):
o Full name
o Home address
o Email address
o National identification number
o Passport number
o IP address (when linked, but not PII by itself in US)
o Vehicle registration plate number
o Driver’s license number
o Face, fingerprints, or handwriting
o Credit card numbers
o Digital identity
o Date of birth
o Genetic information
o Telephone number
o Login name, screen name, nickname, or handle
Most organizations who possess PII of European citizens, require detecting and protecting against any PII data breaches, and deleting PII (often referred to as the right to be forgotten) from the company’s data. The Official Journal of the European Union: Regulation (EU) 2016/679 Of the European parliament and of the council of 27 April 2016 has stated:
“The supervisory authorities should monitor the application of the provisions pursuant to this regulation and contribute to its consistent application throughout the Union, in order to protect natural persons in relation to the processing of their personal data and to facilitate the free flow of personal data within the internal market. ”
In order to enable the companies who possess PII of European citizens to facilitate a free flow of PII within the European market, they need to be able to identify their data and categorize it according to the sensitivity level of their organizational policy.
They define the flow of data and the markets challenges as follows:
“Rapid technological developments and globalization have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural data hk persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organizations, while ensuring a high level of the protection of personal data.”
Phase 1 – Data Detection
So, the first step that needs to be taken is creating a data lineage which will enable to understand where their PII data is thrown across the organization, and will help the decision makers to detect specific types of data. The EU recommends obtaining an automated technology that can handle large amounts of data, by automatically scanning it. No matter how large your team is, this is not a project that can be handled manually when facing millions of different types of files hidden I various areas: in the cloud, storages and on premises desktops.
The main concern for these types of organizations is that if they are not able to prevent data breaches, they will not be compliant with the new EU GDPR regulation and may face heavy penalties.