The General Data Protection Regulation (GDPR), at its heart, is an accountability framework. It promises better enterprise accountability to customers, employees, and other constituents through better accounting of their data.
The need to better account for personal data is in some ways obvious and yet also very new. For starters, it’s hard to protect the unknown. Hidden data, after all, is not invisible, it’s just vulnerable. Secondly, GDPR’s authors grant individuals fundamental rights to their data. In their articulation of the regulation, data is not property of the company that collects and processes it. It remains property of its subject. Enterprises are merely custodians of the information, and so, are responsible to the data subjects for their respective data.
Security through obscurity
For many years, organizations feared shining too bright a light on data they collected and processed. Besides accurate discovery being difficult, it could also reveal unflattering details about an organization’s track record of compliance with existing data retention and governance policies, as well as potentially unwanted liability. However, the growing drumbeat of calamitous breaches, combined with new regulations like GDPR, are changing the tide for many companies. Now, companies need to know their data to better protect it and comply with new privacy regulations. The question remains – how?
Tools for finding sensitive data are not new. Several products emerged over a decade ago in response to the new regulations like PCI & HIPAA aimed at identifying certain classes of payment and health data. But the nature of data collection and processing has changed in the ensuring years, making those products of limited utility in the new privacy regime.
Where data can be stored and processed has significantly changed. A decade ago there was no big data or cloud. Moreover, as online business have evolved, the definition of what is considered personal has also shifted. When people first went online, the worry was around payment card data. Today, it is around all personal information whether about, by or associated to an individual. But perhaps most importantly the specter of identity breach and compromise has risen from nuisance to a broader anxiety owing to record identity breaches and a shift in our shopping and socializing from offline to online.
Know your data
With the rise of data insecurity coupled with rising regulator demands for data protection companies are facing greater urgency to find and know their sensitive data. However existing tools were not designed to find personal data in its broader definition and they were not engineered to provide the kind of data context (whose data, residency of user, access insights) necessary to meet new privacy regulations like GDPR.
To properly secure identity data and meet identity (i.e. person) -centric data privacy regulations identity-awareness has to be central. Protecting personal data means being aware of the person — what data belongs to them, who is accessing the data, what consent exists for that individual etc. This is nowhere more evident than in data subject regulations that entitle individuals to access, port or delete their own data of which GDPR is but one example. Data Subject Access rights are possible unless an organization first knows where every individual’s data resides in the enterprise.
While this may at first sound hard to accomplish, advances in machine learning, APIs, light-weight compute technologies may this achievable today. No better evidence exists perhaps of this than how social networks have been able to advance the social graph and Big Data analytics have remade how organizations extract business intelligence from a person’s data. Now what’s needed is just the accounting and accountability for that data.
For organizations facing new security and data governance challenges finding and inventorying data by person is essential. PCI era data discovery tools don’t help. Luckily a new generation of tools have emerged for mapping data across an enterprise by person, residency, consent etc. These new tools give organizations an ability to approach security and privacy in a new way oriented around identity. They can more accurately find sensitive data and assess that data’s risk but perhaps most importantly they can map an organization’s data.
Navigation is impossible without a map. Not knowing one’s data prevents a company from transcribing its data. This makes security hard, governance harder and privacy protection impossible. Just cataloging credit card data does not make a map. Data mapping requires a complete inventory of personal data by data subject so an organization can ensure the right kind of controls and the right kind of compliance.
The modern era was ushered in through mapping and navigation that opened the world. Mapping an organization can not only open up latent data value residing inside an enterprise cloud or data center but it can also ensure the security and integrity of the data. As data becomes the new oil powering the modern enterprise, safeguarding and managing that data will the keys to success. Mapping personal data represents the new frontier in data security and privacy for regulations like GDPR.
This article is published as part of the IDG Contributor Network. Want to Join?