By Ashley Bill, Security, Risk & Governance Lead Solution Consultant, Micro Focus
We recently hit the second anniversary of the General Data Protection Regulation's (GDPR) implementation. Over the past two years, we have already seen a significant evolution in how it is enforced and in how businesses are responding to it.
Legislation in principle is, of course, different to legislation in action. With applications of the GDPR including last year's record fine of £183 million levied against British Airways by the Information Commissioner's Office, the day-one frenzy of marketing permission emails has now given way to a much more sober accounting of what this means.
In the beginning, businesses raced to simply comply with the fundamental elements of the GDPR. Yet recently a new race has emerged: the race to achieve GDPR excellence. Here's a closer look at what is happening today and how to avoid some pitfalls along the way.
Every organisation is a competitor in the race to achieving GDPR excellence – whether they are small or large, or operating within the public or private sector. And the reality is they are in drastically different places in terms of progress.
Governmental departments, for instance, have been somewhat slow in responding to the GDPR. Perhaps a government self-fine does not create a sense of urgency. Areas where government tenders do arise are commonly disparate and in support of point-solution capabilities.
In contrast, many large private sector companies such as financial institutions have been quicker off the mark to address the full challenge of the needs presented by the GDPR. In a lot of cases, these businesses initially took a thoughtful pause to gauge the shape of their future, before going on to make necessary changes. With that said, there is still uncertainty around whether or not budgets are being appropriately lined up to account for the size of the task ahead.
The majority of these large enterprises, for example, currently rely on manual processes supported by pyramids of data owners and stewards to manage sensitive employee and customer information. While this approach works better for small and medium enterprises, for bigger businesses it makes complying with the GDPR across departmental boundaries very difficult. This issue is compounded by the rise of devolved shadow IT departments – a trend we can only expect to continue given the surge in remote working as a result of the COVID-19 pandemic.
The current risk-based approach
Exploring the types of GDPR-centric tenders that are now issued is a good starting point to understand current approaches to managing data. While many of these tenders ask for a range of capabilities and pursue different methodologies, all appear to be calculated using a risk-based approach.
A common tender, for instance, will now always include the need to discover and prioritise sensitive and/or important data. One unexpected approach involves a strong emphasis on boundary protection, with the argument being that this is where a potential breach will occur. Other approaches require the abandonment of the smallest databases and file-systems entirely, including a focus on databases only as opposed to files as the documents can be accounted for via a database trawl.
Analysing this risk-based approach against the GDPR fines we've seen over the past two years is interesting. What stands out is that much of the time the fine is not levied against the breach, but against the compliance failings. Boundary protection is therefore regarded as an attractive option for many.
The shift to data lifecycle management
Looking ahead, we'll begin to see many organisations move from risk-reduction to more sophisticated data lifecycle thinking within the enterprise.
When it comes to Data Subject Access Requests (DSARs), the majority of businesses are currently tracking and deleting single entities of data in their enterprise. Others, however, are seeing a bigger picture and addressing the need for a full enterprise-wide data lifecycle management solution which involves automating data processes. While this involves higher upfront costs, it is in fact a logical evolution which we can expect the majority of businesses to consider in due course.
All practicalities aside, the businesses that are winning the race are those which are viewing data management as a complete cultural change. This ultimately depends on staff seeing the value of embracing the need for tighter data governance. Employees play an essential role – if they do not participate, businesses will be in a difficult position.
The future of data management
Over the course of the race, we can expect organisations to hit a number of obstacles surrounding data management.
A key activity mandated by the GDPR, and a large cause for concern for businesses, is data deletion. Firstly, it's important to understand that a database deletion comes at a big cost. In these instances, organisations are tasked with weighing up the advantages of absolute removal and storage savings against the fact that this is a resource intensive and complex activity (especially in legacy systems).
As an alternative to deletion, many businesses are masking obsolete data using the 'XXXX' method. The disadvantage here is that some production systems cannot operate with the same mask over everything – for example, if unique references or precise data formats are expected. For these reasons, Format Preserving Encryption appears to have become the most popular choice to cover both of these bases.
File deletion is, in fact, easier than deleting rows in databases. This is why many businesses are incorporating Redundant, Obsolete and Trivial management techniques into their programmes. These approaches support IT transformation, shorten GDPR discovery times and 'clean out the cupboards' before cloud adoption or the next stage of digital transformation.
Alongside data lifecycle management, we can also expect many businesses to turn to website-to-grave encryption. If we consider credit card encryption, many companies are adopting a policy to encrypt credit card details from the moment they are entered in the web browser – this supports PCC DSS legislation. Recently, for example, I came across a company looking to do the same thing for all sensitive data. This may seem like a significant undertaking. However, as it addresses a significant number of GDPR challenges, we can perhaps expect to see this become a key element of the race.
In many ways, the race to achieve GDPR excellence began late. However, in the next two years we'll see its competitors continue in earnest to put effective data management practices in place.
Ultimately, as the response to the GDPR has evolved, we are no longer just speaking about avoiding potentially damaging data breaches. Instead, businesses are considering how they can create a competitive advantage as a result of compliant and streamlined data handling.