The new General Data Protection Regulation (GDPR) set by the EU is not a simple piece of law yet the implications of infracting it are very clear: very high fines.
GDPR affects every company inside or outside the EU wanting to offer its services to clients located in Europe. Both data controllers (legal persons such as a company) and data processors (ie a SaaS provider) are impacted.
GDPR is not as much about protecting data as it is about protecting the rights of the data subjects – those whose data your organization is capturing.
One of the biggest problems GDPR poses for companies affected by the regulation is the fact that the time to report certain data breaches is reduced to 72 hours. At the moment, most companies would need weeks to answer questions around a breach. Under GDPR, this is not acceptable.
To answer the above questions on the spot and to meet the GDPR requirements, you must start identifying and classifying your data. In other words, you need to put your data into context.
There’s a couple of approaches to achieving a catalog of classified data sets and related business processes, but at the very least, you’ll want to end up with:
- A register of data sets tagged with all indicators you need to put your data in context. This means flexibility to add and assign attributes (is the data pseudonymised? anonymized?) for different types of sets or similar sets owned by different LOB’s
- The complete context of each data set, including, at a minimum:
- Who is accountable and responsible for this data?
- Where does it comes from?
- What’s the purpose?
- What data sets and processes does it feed into and what feeds into this set?
- Who has access to this data set and what is the SLA of using this data?
- What data subjects are involved?
- Are there any breaches, no matter how small linked to this data?
- And more
Imagine going to your board (or CIO at least) with instant and clear answers to possible exposure to breaches out of your control. All you need to get ahead of GDPR is to put your data sets into context so you can apply the right measures and controls and drive a data protection-centric approach from within the organization.
What measures is your organization putting in place to address the 72-hour turnaround required by GDPR?