GDPR: Not a software solution but a data management plan executed
General Data Protection Regulation or shortened GDPR is the European law for data security. It has been in te making for a couple of years. In Europe with all the sovereign states having a vote decisions take time. Also this one, it took about four years to finish this law. Execution of the law will start May 2018, that is 12 months from now, you need to act now. There are a couple of sides to this law, one of them is giving back control of data to users. Many companies collect data or store data and for years it has been unclear who owns that data. With GDPR this should change and companies will have more clear rules on how to act. So most of the law will be for controllers and processors of data and less for the common business. The common business of course could also control and proces personal data and therefor should also look at this.
This article is more about control of your data, which is a big part of current data laws already, and less about the “be forgotten” part of the law. The personal data control side of it is something outside my scope for now, I’d like to focus on how you manage your data. If you got that right the step to comply with GDPR is a small step.
Over the last weeks and months companies have targeted customers with marketing. Companies are led to believe that investing in software solutions will solve their GDPR compliance. I really hate this kind of marketing, GDPR is far more complex to be solved by a simple software implementation. If fact it has nothing to do with software at all, software could help you with the execution of your plan. So I thought a little article about this might help some of you out there fighting of the marketing sharks. On the right side you see one of those tweets, this one is from Microsoft. Of course Microsoft cloud could help with the execution but only there.
GDPR is about data protection, data security and meant to protect our data. It is meant to make sure you control who has access to the data and which time and so on. Today, more than ever before, our physical world is integrated with the online world. Because of the overlapping a data breach or a data leak could have a serious impact on someones life. So GDPR is designed to take care of this and make sure data is secure. I’m no expert in GDPR and will not pretend to be one, I will give an overview and try to map those aspects to real life. If you need GDPR advice to be compliant talk to the experts, many companies offer services. Later on I will give my thoughts on the route to take.
The most basic thing to look at is your data. Data comes in different flavours some sensitive some public and so many more flavours depending on your business. Important in data management or data classification as I tend to call it is that you map your data. You need to map your data and classify it according to sensitivity, importance and so on. You need to look at your dat and ask yourself which data should not be share-able, which data is sensitive and who should have access to that data.
For each set of unique data you need to map employees and design what they are allowed to do with it. It’s a tough job as most data access has grown organically in companies employees acquiring access as others in the department also have that access. You need to look at data access not from “how can we make life easy for users?” but from a point of view like “what is the minimum required access to this data for employees?” If you don’t need access to data (all the time) it is better to not have access to it, less is better in data access scenario’s. With less people having access by default leaks or hack attacks are less effective. In the intelligence business there is a saying “need to know” meaning that you just have the info you need to know at that moment. Same goes for data access you don’t need access to everything, you need access to the data you need to work with.
- What kind of data do we have? (by sensitivity)
- Public data
- Company sensitive
- Who needs to have access?
- Who need to share this data?
- What do we do when data is leaked?
- How can we revert access?
- How do we handle employees leaving company (system access)
GDPR and data
GDPR sounds difficult and it is, I read the proposed law and it is freaking difficult to read. Lucky there are people who understand this and I visited some session to learn from them. GDPR is about control of data and how you act when there is a leak. Most leaks within companies when it concerns hacking or data leakages can take up to 200 days. With limiting the number of people that have acces to data without really needing it (you can automate access control easily allowing them access to data when they really need it) you limit the attack surface and therefor the leakage chance. Will it prevent data leakage? it will not, it is one piece of the puzzle.
GDPR is about that you have guidelines what you do when you discover a leak. Next to control of who can access, edit and share you need to know how to act when something goes wrong and it will. Do you have the automation in place to kill access to systems instantly? Do you have an on-boarding/off-boarding system to control who has access to systems and with that data? Simple things like making sure data access is reverted for people leaving the company are key in these guidelines.
And when you know what data you have, when you classified it in groups with the employees mapped to those groups. When you know which data can be share by who at which time. When you have a guideline to control access to the data, what to do when data has been leaked. when you can revert access to systems when people leave a company only then will you need to look at your vendors and see if they have a solution to execute this plan.
If you implement software before that time you are working as old skool IT where solutions were bought and business were forced to change their way of working. GDPR and your data is to important to make that mistake again, work from functional to technical.
This article is no guideline to GDPR compliance, I’m not an expert on GDPR. There are more aspects on GDPR but data access is a big one and I know from 25+ years in IT that you can’t fix anything with a technical solution when you don’t have a solid functional plan. For other GDPR aspects and “checkbox” compliance find the GDPR experts and talk to them. Make sure you start, you got 1 year from now, 1 year, 12 month, 365 days… time is ticking 🙂