Four Steps to comply with GDPR and other Privacy Regulations

With EU’s General Data Protection Regulation set to come into force next year, Regulation and Data Privacy are in the news again.   But GDPR is only the latest in a series of regulations that have been developed (like HIPAA, HITECH, SOX, NYDFS) to build in accountability for loss of data.  The effort to keep personal information private dates back over 30 years when the US enacted the Electronic Communications Privacy Act (ECPA) of 1984.  And the effort to make organizations accountable for personal data they store goes back 20+ years when HIPAA was enacted back in 1996.   What makes GDPR formidable however is that it is a law that covers consumers in several countries (basically all EU nations) and the fact that it packs considerable punch in terms of penalties if organizations fall afoul of it.   Its ambit is also broad given that organizations based outside the EU also must comply – if they have even a single consumer who is a citizen of an EU nation.

All regulation around data privacy primarily set out to achieve the same goals.  If you are a business tasked with complying, it will be useful to keep these Four steps in mind:

Discover

This is the first step in almost any type of regulatory compliance.

  1. Find out what you have and where it lives.
  2. Then identify who has access to what.
  3. You should be able to report this reliably and predictably on an ongoing basis.

Protect

The next step is to ensure you have sufficiently protected what you have.

  • Do you know if what you have is safe? Do you have a defense against accidental losses, theft, disgruntled employees, ransomware?
  • Develop a reliable Backup and Restore strategy
  • Consider having Legal/Litigation Hold features
  • Consider strategies like encryption
  • Be able to generate reports as evidence of the above

Manage

Control access and ensure that it doesn’t fall into the wrong hands.

  • Apply permissions to data using the principle of least privilege
  • Identify sensitive data and take steps to secure it using techniques like Encryption and Pseudonymization
  • Track any data sharing with external parties
  • Be able to pull an audit log of all such sharing activity

Report

This is a key element of all compliance.  You can do all of the above, but not having a way to demonstrate compliance is just as bad as not being compliant at all.

 

Encryption / Psuedonymization can be a key strategy to protect data especially when you’re storing it in cloud repositories.  Although most regulation are written in a technology neutral fashion and rarely prescribe data encryption explicitly, it is clearly one of the best ways to protect data and should be an essential part of any regulatory compliance toolkit.  Moreover, techniques like encryption and pseudonymization, in varying degrees, can help circumvent mandatory breach notification clauses that are part of many regulations.

The trend towards Data Privacy and protection of personal information is moving inexorably only in the direction of increased regulation.  If you fall in the radar of one of the existing regulations in the US or in the EU – work immediately towards being compliant (unless you are already).

Even if you don’t fall under the ambit of these regulations, study local laws in countries where you do business, and find out if you should be complying.  Several nations have privacy protection laws already and many are following the lead of GDPR and are amending their laws to match the same rigor GDPR brings.  Australia has the Privacy Act which came into effect in 2014.   Japan has the Act on the Protection of Personal Information (APPI), South Korea has the Personal Information Protection Act (PIPA), Philippines, the Data Privacy Act (DPA), while Singapore and Taiwan both protect personal information using their respective Personal Data Protection Act (PDPA).

If you haven’t gotten started – don’t panic.  A simple way to get started is to simply backup all your data.  A good backup solution solves several problems right away:

  1. It Protects all your data by making a safe copy of it for you.
  2. As a side effect, it creates a catalog which lets you Discover what you have.
  3. And if you pick a backup solution which encrypts data, you can also create a barrier around data access and ensure that all access is Managed (i.e. audited and logged).
  4. Most backup solutions come with an arsenal of Reports – which should easily help you provide evidence of compliance.

If you take this approach, ensure the following when picking a Backup solution

  1. It should have the ability to backup data to a cloud target – preferably to targets like OneDrive or Google Drive. This will help you avoid a massive capital investment in on-premise storage.
  2. Have built-in Encryption with the clear ability to enforce separation of duties – i.e. you should be have complete control over the encryption and the encryption keys
  3. Have the ability to create an easily searchable catalog for Discovery
  4. Have built-in audit logging and Reporting

Keep in mind that backups can be one of several tools that help you in your journey to full regulatory compliance, but they can be a simple way to get started and take control of the problem.

So, act now!  The sooner you gain control over your data assets the easier it will be to comply when regulation comes knocking.