- Security TWENTY
- Women in Security Awards
Companies are in danger of being caught out by GDPR data requests, writes Matt Lock, Director of Sales Engineers (UK) at cyber and data security product company Varonis.
With its sweeping new data control rights and strict fines for poor security, the EU GDPR (general data protection regulation) is easily one of the most significant pieces of regulation to hit the business world in years. New requirements around securing data and handling breaches have meant that organisations have finally had to put cyber security at the forefront of their operations rather than simply paying lip service.
While most companies have undertaken the initial stages such as reviewing and changing policies and installing a Data Protection Officer where needed, it’s very common to find businesses have failed to tackle more complex issues. One of these has been accommodating new rights for citizens to discover how their data is being used, or how it is deleted.
The right to know
Under the GDPR, all EU citizens now have the right to submit a Data Subject Access Request (DSAR), enabling them to request information on what data is being held, how it was collected, and how it is being managed and used. Citizens can also ask that some or all their information is permanently deleted by the company. The challenge is this: eighty percent of all of a company’s data lies within unstructured files such as emails, spreadsheets and text documents on the file system. With so much data constantly being created, edited and copied, even the most meticulously organised companies will eventually begin to lose track of the data they hold. Our own research found that 71 percent of folders contained stale data that was no longer actively being used. As such, DSARs present a major challenge for many companies because they lack the technology necessary to search through the vast amounts of data in their systems and find the requested information, particularly within the initial 30-day time limit.
Normal system search functions are rarely designed to locate multiple specific files with any kind of efficiency, and the challenge is complicated further by the fact data has often been duplicated multiple times. As an example of this, let’s take a standard customer spreadsheet including names, addresses and contact details, saved as an Excel document. The file is attached to an email and shared with multiple colleagues, ten of whom save it to their systems. The following month, part of the database is used in a report that is uploaded to a SharePoint accessible by 20 people. Suddenly, one piece of data now exists in dozens of locations, including different file systems, shared networks, and email severs. Another challenge is that a company cannot always fulfil any erasure requests by simply deleting the file, as it would be unworkable to delete a database of 20,000 people to fulfil 20 deletion requests. This means most requests will need to be carefully assessed and dealt with on a case-by-case basis.
Managing the DSAR challenge
Many organisations also face the prospect of dealing with requests in very large numbers, particularly public-facing companies such as retailers which have routinely collected the details on tens of thousands of customers. While there is likely to be a significant drop off in the number of requests after the first few months of the GDPR, there is no way of telling what a normal level will be in most cases. Dealing with a backlog of thousands of cases within the strict time limit is an extremely daunting task without the right tools. Companies ill-equipped to handle DSARs will also find other areas of their operations suffering as IT resources are diverted to clear the requests. Although the sheer volume and complexity of DSARs will still present a challenge, companies can avoid being overwhelmed by ensuring they have visibility across all potential locations for data, including file systems, email servers, and cloud-based solutions.
Automation is also an important capability here, as the process not only needs to be completed quickly, but also with a high degree of accuracy. If a company receives a request to delete data and accidentally leaves some instances of the information, it could face disaster if it is involved in a breach. In the event of a serious data breach, organisations could face the penalties of up to 20 million euros or 4 per cent of global turnover.
I believe we’ll have a precedent for this kind of breach within the year, and organisations that don’t want to be called into the Information Commissioner’s Office should ensure they have the capabilities to deal with DSARs.