As we fast approach the second anniversary of the implementation of GDPR, the impact it has had on businesses and driving change has been substantial. Initially, many were sceptical of the EU’s adoption of data protection change. But, driven by the need to replace previous data protection rules across Europe that were almost two decades old – with some of them first being drafted in the 1990s – the new regime has sparked a data management revolution that was long overdue. In the last twenty years, we have led data-heavy lifestyles, with people routinely sharing their personal information freely online. GDPR has helped to harmonise data privacy laws across the EU, as well as providing greater protection and rights to individuals. The impact of these laws has dramatically altered how businesses and other organisations can handle the information of all those that interact with them.
DATA LOSS OCCURS WHEN DATA IS ACCIDENTALLY DELETED, SHARED OR SOMETHING CAUSES DATA TO BECOME CORRUPTED
Last year, the ICO’s combined fines for British Airways and Marriott International was an eyewatering £275,787,290 (€314,990,200) grabbing many headlines and highlighting to organisations changing their business processes would be of the utmost importance. In 2020, the impact of GDPR is not only being seen in Europe where countries such as Germany, Bulgaria, and Spain have imposed more fines than the UK. The global impact has seen the US follow suit with the California Consumer Privacy Act (CCPA) kicking into action in January, as well as countries such as Bahrain introducing its Personal Data Protection Law last year and Singapore publishing a factsheet to help businesses better understand the GDPR when applied to the Singaporean context.
Importance of Data and its Role within your Organisation
With the increasing amount of data from new and emerging technologies, ensuring that it is being controlled and shared effectively becomes even more paramount. Data loss is a serious problem for businesses of all sizes— losing files means losing time and money to restore or recover information that is essential to your business, plus being exposed to the risk of legal repercussions if the data loss infringes customers’ privacy rights. Data loss occurs when data is accidentally deleted, shared or something causes data to become corrupted. From an enterprise point of view, we are still seeing human error as a leading cause of data loss for businesses, with 50% being attributed to inadequate or poorly observed business processes.
Before any best practice solution or loss prevention strategy can be rolled out, it is important for an organisation to understand exactly what data they hold and the potential risks to its security. This means establishing the types of data that are being held, collected, stored, and where it is located. Alongside this, it is important to understand why the business has it, how sensitive it is, and who is accessing, using, or sharing it.
Privacy by Design
One of the best methodologies that an organisation can use to fulfill its compliance obligations is Privacy by Design approach. The framework achieved international acceptance when the International Assembly of Privacy Commissioners and Data Protection Authorities unanimously passed a resolution in 2010. This approach takes privacy into account throughout the whole process, ensuring that it is incorporated into an organisation’s systems, policies, and processes, and technologies. Privacy by Design needs to start with data classification. The sheer volume of unstructured data within organisations, combined with the ever-increasing technical abilities of hackers and the fallibility of employees, makes it impossible to rely on people and processes alone to ensure that sensitive data is handled appropriately. Data classification embeds a culture of compliance by involving users to identify, manage, and control the regulated data they work with while automating parts of the protection process to enforce rules and policies consistently.
The key with this approach is that data is classified at the source so the organisation’s rules can be applied at the outset. As mentioned before, it is important to understand what data you have, who is using it, how it is being stored, used and shared, and whether it is company-sensitive; this is key to any data protection strategy. Once you have defined what data you have, you will be able to classify and protect it.
Data classification is the categorisation of data according to its level of sensitivity or value, using labels. These are attached as visual markings and metadata within the file. When classification is applied to the metadata, it ensures that the data can only be accessed or used in accordance with the rules that correspond with its label. Clearly you need to define your classification policy first and decide who should have access to each type of data. Once this has been done, it is simply the case of selecting an appropriate classification tool.
Best Practice in the Future
As cumulative fines across EU reach £ 410,772,087 (€ 467,476,268), organisations need to ensure that by using approaches such as Privacy by Design they can mitigate the threat that unsecured data poses to the business. As we live in an evolving world, businesses cannot take a ‘tick box’, point-in-time approach. Legislation, threats, and the business itself will constantly evolve, while demands from regulators and the board for better governance will continue to intensify. Ongoing measurement of the effectiveness of security policy is the only way to check that the controls the business has put in place remain fit for purpose. The monitoring of classification activities is a powerful way of doing this and improves the chances that a breach will be quickly detected – helping the business to comply with notification periods required by regulators, as well as to minimise damage. If there is a breach, the detailed audit information that robust classification provides will allow a business to demonstrate that the appropriate steps to protect data were taken. This is a critical aspect of complying with increasingly weighty privacy regulation and ensuring that data continues to be an asset that powers the business, rather than a threat to its bottom line.