By Ben Bulpett, EMEA Director, SailPoint
In the business world, data has often been seen as the key to success. Used correctly, it enables us to gain a crucial edge over the competition. The more data, the better. Or so it seemed. This mindset has led to a gluttonous diet for our servers – with information related to customers, partners and clients having been accumulated over years and years.
On its own, however, data is pretty useless. Only with sophisticated data analysis tools can this be transformed into useful information and something that can be of real benefit to a business.
With regulations such as GDPR in place, organisations cannot afford to be complacent with their data. Only data that is necessary should be collected and kept (Article 25), and companies must demonstrate a clear deletion policy when they are asked to submit a Data Subject Access Request (“GDPR request”).
But with so much old data stored, it’s no surprise that many companies still fall short of their ability to meet GDPR requests. In short, more must be done to combat a gluttonous data diet which is risking the overall health of companies.
Old data is no exception
There is a common misconception amongst senior executives that old data, its ownership and what it contains is nearly impossible to identify. This false sense of security exposes companies to serious risks. Hackers are always looking for ways to penetrate company data, old and new. The more information that companies hold, in a multitude of places, creates additional vectors for the hackers to exploit.
Hackers aren’t picky about which data they steal. Large volumes of ‘stale’ data can increase an organisation’s attack surface. And this has even more potential to slip through the cracks and be accessed by hackers, since businesses are less likely to have good visibility or access monitoring capabilities set up for old data. As a result, it can take much longer before IT teams identify vulnerabilities or non-compliant data management.
Breaches place huge strain on compliance. With GDPR in place, the EU can levy huge penalties on companies who flout the regulations. A fine of more than €14m was recently issued to a German company for failing to abide by the principle of Privacy by Design. The fine was the largest in German history, where data policies are particularly strict. The company used an archive system that was not able to remove redundant or out-of-date data that was no longer required.
Many IT teams are over-stretched and lack the capacity to apply proper policy enforcement for security and data governance. Many therefore rely on end-users to manage their files correctly. But the reality is that most users do not spend any time sorting or managing their data and often keep documents or data “just in case” it will be useful at a later date. Compounding this problem is when an employee changes role and no-one is managing their data anymore.
Therefore, when a GDPR request is submitted, their company responds with old data, hoping unstructured files are never exposed. It’s hardly a comprehensive approach to looking after partner and customer data.
An identity-centric approach to compliance
Improving the quality of a company’s data diet can bring many benefits to its overall health – for example, ensuring good business practice and improving compliance. However, this is easier said than done. How do you know who owns the data? When was data last accessed? What data do the files contain? Are there any “gems” of information that can benefit the company?
A significant proportion of data access and ownership in businesses today revolves around personal credentials and digital profiles. One approach to consider is an identity-centric security model. This can be crucial in defining the ways in which an organisation collects data. Not only this, but it can also define the types of data it collects and the retention time of any data. The organisation also needs controls to enable the IT team to monitor that the policy has been properly implemented.
Having tools that support this approach is critical. An organisation must have the ability to automatically and precisely discover various types of data. This is especially the case if it is personally identifiable or sensitive data, or a duplicate. Organisations must be able to manage or delete it according to the policy requirements.
Two years into GDPR, having an identity-based programme to manage data stored in applications and files or folders is crucial. Only with a comprehensive identity approach will an organisation be able to establish what data is stored in the files and folders, who is accessing those files, what people are doing with those files, who the proper owner is and when they were last accessed. This increased visibility and traceability means that requests can be checked against all data across an organisation, whether structured or unstructured. Data traceability will be able to complete the task in less than 20 minutes, achieving full compliance against GDPR.
Keeping the data calories off
Excess data cannot be brushed under the carpet. Whether it’s old, unnecessary, or duplicated, organisations need to face the fact they may already be in breach of the regulations. And a large potential fine could be lurking around the corner if no action is taken.
To keep the data calories off in the future, a data diet is necessary. An effective identity approach to managing this data is crucial in keeping organisations on track – whatever their size may be. All organisations, from SMBs to multi-nationals, need to ensure they are managing all of their data in the most thorough way possible, and that nothing slips through the cracks.