Protect Sensitive Data on EU Citizens
The EU General Data Protection Regulation (GDPR) came into force on 25th May 2018, yet many organizations are still not fully prepared and compliant. This new regulation replaces the 1995 EU Data Protection Directive, and is intended to plug the trust gap, by modernizing the legislation that safeguards personal data within the EU. It makes protection levels more stringent and consistent across member states, superseding fragmented national laws and standardizing the way regulations are implemented, audited and enforced. The GDPR is not simply restricted to EU nations, but has an impact around the world, requiring compliance from any organization in any sector that collects, processes, controls, hosts or shares EU citizens’ personal data.
With the regulation having been enforced since 25th May 2018, it is important for organizations to get things in order now – determining the risks to be managed, understanding what data needs to be protected and starting to secure it now, and putting resources and policies in place. The best place to start is with data classification – the first step to a truly data-centric approach to protecting personal information.
Violating the regulation carries a maximum fine of €20million, or 4% of annual global turnover (whichever is the higher amount); escalating data protection to a regular boardroom issue. Cost of non-compliance will also be assessed in terms of reputation loss and damage to the brand, while the regular and periodic data protection audits recommended in the regulation will make it more likely that incidences of non-compliance get picked up.
Secure Your Sensitive Data
The first step in using a data classification approach to ensuring compliance is to understand all of the personal or sensitive data you hold, and the potential risks to its security. You will need to ask:
- What data you already hold on EU residents?
- What data is being collected, and where from?
- Where is it being stored and processed?
- Why you have it?
- How sensitive it is?
- How it is accessed, used or shared - including externally?
The data should then be classified or tagged according to its sensitivity. Once you have singled out the most confidential information you can determine what higher grade controls should be applied to ensure it is adequately protected.
Don’t Delay Your Preparations
The sheer volume of unstructured data within organizations, combined with the ever increasing technical abilities of hackers are finding to breach perimeters, make it impossible to rely on people and processes alone to ensure that sensitive personal data is handled appropriately. Data classification embeds a culture of compliance by involving users in identifying, managing and controlling regulated data, while automating parts of the protection process to enforce rules and policies consistently. As you prepare for the introduction of the amendment, classifying data as a first step will enable the protection strategy and solutions you implement to be built around the types of data you have, and the levels of security they require.