- Security TWENTY
- Women in Security
For any company that does business in Europe, GDPR has been front of mind for quite some time, as they update their privacy policies to comply with the new, compulsory legislation. The objectives of GDPR align to most business agendas; for example, implementing privacy controls for customers, and having a single clear set of government policies for sharing data across European countries. For this reason, many companies are supportive of the legislation and its purposes despite the seismic shift it is having on how organisations manage their data. Like it or not, GDPR is critical for most companies and cannot be sidestepped. For those who don’t comply, the consequences can be severe.
Now that the date for policy announcements has passed, the ongoing work begins: companies must make sure they do business with respect to data privacy. As any company with a significant customer base knows, this is a complex and expensive undertaking. The responsibility to manage personal data in a compliant manner spans numerous tasks, including discovering where Personally Identifiable Information (PII) actually exists in your data, transforming data for GDPR compliance (e.g. via masking, pseudonymisation or encryption), identifying all “flows” of the raw PII data into processes, and assessing whether those processes violate the principles of the agreement.
Achieving and maintaining the goals of GDPR requires more than changes to software; it also requires appropriate alignment with people and processes. In our experience, compliance is best achieved organisationally via a balanced collaboration between your domain experts (who understand your customer data) and the maintainers of your central data governance function (who understand your data stores and data pipelines). To that end we recommend two important best practices to help your organisation get on the road to maintaining GDPR compliance.
1. Recruit domain experts to ensure your data is in the right hands: PII can vary widely in its representation across use cases: e.g. customer IDs, web cookies, avatars, etc. Software can help surface certain PII automatically, but in many cases only a human who understands how the data is used in your organisation can say whether a particular string of digits or letters is a personal identifier. The key here is to empower the people who know the data best to assess it and transform it as needed for compliance. This is a task that may be best handled outside of your core IT organisation.
2. Streamline your data workflows: Most sizable organisations have IT staff who oversee the governance of data across many users. These people need to be empowered to see what data is being accessed, how it is being used and prepared for GDPR compliance, and where it is flowing. To make this possible, it is important to identify and remove isolated desktop data tools and the dangerous practice of potentially sensitive data “replicating like bunnies” into laptops and private servers. Legacy spreadsheet software is often the most common example of this phenomenon, but standalone tools for data preparation and analytics can also cause trouble. The activities traditionally done on these tools should be shifted to newer solutions that work on centralised, managed data stores, respect centralised access control, and provide centrally visible monitoring and auditing.
Why data preparation is fundamental for GDPR compliance
Robust data preparation solutions should balance the needs of self-service and governance. They should make data preparation simple and intuitive for domain experts, while enabling robust administrative oversight of data content and usage by IT staff. They should avoid data replication in storage: data needs to remain in its “native habitat” in file storage systems or databases, governed by the established access control policies enforced on those systems. This combination of considerations — end-user self-service and centralised governance — makes data preparation platforms a natural fit for companies that want to make sure that they go beyond public privacy announcement and get their business on track with the ongoing requirements of GDPR.