The need for information governance and data classification to comply with the GDPR

With the new General Data Protection Regulation (GDPR) approaching, effective May 2018, companies based in Europe or holding personal data of people residing in Europe are struggling to find their most valuable assets in the organization. : your confidential data.

The new regulation requires organizations to prevent any personal identifiable information (PII) data breaches and to delete any data if requested by anyone. After deleting all PII data, companies will need to prove that the person and the authorities have been completely deleted.

Most companies today understand their obligation to demonstrate responsibility and compliance and therefore began to prepare for the new regulation.

There is so much information out there about ways to protect your sensitive data, so much that one can get overwhelmed and start aiming in different directions, hoping to hit the target accurately. By planning your data governance ahead of time, you can still meet the deadline and avoid penalties.

Some organizations, mostly banks, insurance companies, and manufacturers, hold enormous amounts of data, as they are producing data at a rapid rate, changing, saving, and sharing files, thus creating terabytes and even petabytes of data. The difficulty for these types of companies is finding their sensitive data in millions of files, in structured and unstructured data, which unfortunately in most cases is an impossible mission to accomplish.

The following personally identifiable data is classified as PII according to the definition used by the National Institute of Standards and Technology (NIST):

or full name

or address

or email address

o National identification number

or Passport number

o IP Address (when linked, but not PII by itself in the US)

o Vehicle registration number

o Driver’s license number

o Face, fingerprints or handwriting

o Credit card numbers

or digital identity

or Date of birth

or place of birth

or genetic information

or phone number

o Login name, screen name, nickname or handle

Most organizations that hold PII of European citizens require detection and protection against any PII data breaches and deletion of PII (often referred to as the right to be forgotten) from company data. The Official Journal of the European Union: Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 has stated:

“Supervisory authorities should monitor the application of the provisions of this Regulation and contribute to its consistent application throughout the Union, in order to protect natural persons in relation to the processing of their personal data and to facilitate the free flow of data personal within the internal market”.

To allow companies that hold PII of European citizens to facilitate a free flow of PII within the European marketplace, they must be able to identify their data and categorize it according to the sensitivity level of their organizational policy.

They define the flow of data and the challenges of the markets as follows:

“Rapid technological advances and globalization have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to carry out their activities Individuals are increasingly making personal information available to the public and around the world Technology has transformed both the economy and social life, and should further facilitate the free movement of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of protection of personal data.”

Phase 1 – Data discovery

Therefore, the first step to take is to create a data lineage that will help you understand where your PII data is dumping across your organization and will help decision makers spot specific types of data. The EU recommends getting automated technology that can handle large amounts of data, scanning it automatically. No matter how big your team is, this is not a project that can be handled manually when faced with millions of different types of files hidden in various areas: cloud, storage, and local desktops.

The main concern for these types of organizations is that if they are not able to prevent data breaches, they will not comply with the new EU GDPR regulation and may face heavy penalties.

They must designate specific employees who will be responsible for the entire process, such as a Data Protection Officer (DPO) who primarily handles technology solutions, a Chief Information Governance Officer (CIGO), usually a lawyer who is responsible for compliance, and/or a Compliance Risk Officer (CRO). This person must be able to control the entire process from end to end, and be able to provide management and authorities with full transparency.

“The controller must pay particular attention to the nature of the personal data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, the third country and the country of final destination , and must provide adequate guarantees to protect the fundamental rights and freedoms of natural persons with respect to the processing of their personal data”.

PII data can be found in all kinds of files, not just PDFs and text documents, but also image documents, for example, a scanned check, a CAD/CAM file that may contain a product’s IP, a confidential sketch, code or binary file, etc.’. Common technologies today can extract data from files, making data hidden in text easy to find, but the rest of the files which in some organizations, like manufacturing, can hold the most sensitive data. in image files. These types of files cannot be accurately detected, and without the right technology that is capable of detecting PII data in other than text file formats, it is easy for this important information to be lost and cause substantial harm to the organization.

Phase 2 – Data categorization

This stage consists of behind-the-scenes data mining actions, created by an automated system. The DPO/controller or information security decision maker must decide whether to track certain data, block the data, or send alerts of a data breach. To perform these actions, you need to view your data in separate categories.

Categorizing structured and unstructured data requires complete data identification while maintaining scalability, effectively scanning the entire database without “boiling the ocean.”

The DPO must also maintain data visibility across multiple sources and quickly present all files related to a given person according to specific entities such as: name, date of birth, credit card number, social security number, phone, email address etc.

In the event of a data breach, the DPO will report directly to the highest level of controller or processor management, or to the Information Security Officer, who will be responsible for reporting this breach to the relevant authorities.

Article 33 of the EU GDPR requires you to report this breach to the authorities within 72 hours.

Once the DPO identifies the data, the next step should be to tag/label the files according to the sensitivity level defined by the organization.

As part of regulatory compliance, the organization’s files must be accurately labeled so that these files can be traced across the premises and even when shared outside the organization.

Phase 3 – Knowledge

Once the data is tagged, it can map personal information across networks and systems, both structured and unstructured, and can be easily traced, enabling organizations to protect their sensitive data and enable their end users to use and share files safely, thus improving data loss. prevention.

Another aspect to consider is protecting confidential information from insider threats: employees who try to steal sensitive data such as credit cards, contact lists, etc. or manipulate the data to obtain some benefit. These types of actions are difficult to detect in time without automatic monitoring.

These time-consuming tasks apply to most organizations, prompting them to look for efficient ways to gain insights from their business data on which to base their decisions.

The ability to analyze intrinsic data patterns helps the organization gain better insight into its business data and pinpoint specific threats.

The integration of an encryption technology allows the controller to track and monitor data effectively, and by implementing an internal physical segregation system, you can create a geo-fence of data through personal data segregation definitions, domains/geos crossovers and reports on sharing violations once the rule is broken. . Using this combination of technologies, the controller can allow employees to send messages securely across the organization, between the correct departments, and outside the organization without being excessively blocked.

Phase 4 – Artificial Intelligence (AI)

After the data is scanned, labeled, and tracked, a greater value to the organization is the ability to automatically filter out atypical behavior from sensitive data and activate protection measures to prevent these events from escalating into a data breach incident. This advanced technology is known as “Artificial Intelligence” (AI). Here, the AI ​​function is generally understood as having a strong pattern recognition component and learning mechanism to allow the machine to make these decisions or at least recommend to the data protection officer the preferred course of action. This intelligence is measured by its ability to gain insight from every scan and user input or changes to the data mapping. Eventually, the AI ​​function creates the digital footprint of organizations that becomes the essential layer between raw data and business flows around data protection, compliance, and data management.