Data Mapping: A Tricky First Step to GDPR Compliance

Last Thursday, the one year countdown to GDPR compliance officially began. For those of you still wondering what all the fuss is about, new research commissioned by Centrify has revealed that public companies suffer on average a 5% share price drop immediately following disclosure of the breach. The EU General Data Protection Regulation (GDPR) will ensure there’s no room to hide: as of 25 May 2018, if you’ve been breached you must notify the Supervisory Authority within 72 hours of becoming aware, unless particular circumstances apply.

To help organisations figure out a plan of action, Centrify is running a monthly blog series, focusing on a different part of the regulation each time. In the last blog, we explained the scope of the new law. Now it’s time to crack on with the business of compliance.

The Problem with Shadow IT

With a piece of legislation as broad and complex as the GDPR, it can be tough knowing where to start. An essential first step, however, is data mapping. This will help you understand what data you’re processing, how and where it’s stored, who it’s shared with and how it’s protected. This is all information which you absolutely must know. After all, you can’t protect data if you don’t know where it is, what it is and how it’s currently controlled.

This is where things might get a little tricky thanks to shadow IT. Unfortunately, users will be users and many may have bypassed the IT function in a bid to work in a faster and more productive way. It’s important to bear this in mind as you begin your data mapping. Cloud-based services are a particular favourite: both consumer-grade and business platforms can be registered and set-up quite easily by employees. Either way they must be mapped, so pay close attention to data flowing out of the network to such platforms.

Reducing Risk

Once you know where the data is, Article 25 of the GDPR states that you’ll need to “implement appropriate technical and organisational measures” to ensure compliance. As we’ve discussed previously, there are no prescriptive technologies mentioned in the regulation, aside from encryption and pseudonymisation, so much of it boils down to the “state of the art” and received best practices. For some UK firms currently complying with the Data Protection Act, there may in fact be little extra required, although just how little will depend on each organisation.

Data minimisation is one such best practice. Once you have classified what you store and process, it would be a good idea to go through and delete any non-essential customer data, thereby reducing your risk. As the GDPR states:

“only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.”

Am I Doing Enough?

Still, it can be tricky knowing if your technical controls are “appropriate” enough.  To help with this, consider following an “approved certification mechanism” like ISO 27001. There are certainly areas in the GDPR which this internationally recognised standard doesn’t cover — such as the right to data portability — but when it comes to data security, it’s pretty well aligned.

Centrify has done plenty of work with ISO and our offerings can help firms meet several key requirements listed in the standard, around access controls. As Article 4.12 states:

“personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

This makes access controls a vital part of any GDPR compliance plans. We recommend risk-based, adaptive multi-factor authentication which can identify on the fly when log-ins seem risky and request more information from the user to complete authentication.

Our latest research revealed a worrying disconnect between the expectations of customers and the priorities of IT professionals. For example, 73% of consumers polled said organisations have an obligation to control access to their information, yet just 44% of IT security practitioners agreed. Be in no doubt, however, European regulators will come down hard on any firm they believe hasn’t taken adequate steps to safeguard consumers’ personal data.

As key members of the compliance team over the next 12 months, IT professionals have a vital role to play ensuring data is secured at all times according to best practices.

If you will be at InfoSecurity Europe this week, be sure to stop by our stand C65 to learn more about how we are redefining security