In the previous posts I looked at the impact of GDPR on the organisation and provided an overview of the regulation. Now let’s take a look at the impact to the IT department.
What will the IT department need to do?
Take all reasonable endeavours to prevent data breaches (hopefully you’re already doing most of these):
- Review your security technologies including encryption (this could help avoid a breach as the data would be unreadable), firewalls, anti-virus/malware (network and endpoint), data loss prevention, intrusion detection/prevention systems and web filtering
- Review your security policies, guidelines, and minimise access rights
Retain data for the minimum amount of time (i.e. once it is of no use it should be deleted from production, backup and archive tiers)
- Classify each dataset in terms of its retention/deletion policies
Fully Index all unstructured1 data (files and objects including their content) across endpoints, data centres and cloud (IaaS/SaaS)
- This needs to include all data – production, replicas, backup and archive (including tape and cloud)
- Identify any Personally Identifiable Information (PII) or Sensitive Personal Information (SPI) and erase as soon as possible
Perform searches (i.e. name or e-mail address) across all data upon request
- Export data in a commonly used electronic format and send it to the individual so that they can transfer it to another company (this is known as Data Portability)
- Selectively erase the data and maintain an audit log of the event
Have a plan in place to deal with legacy backup data
- It is expected that the authorities will be lenient as long as there is a plan to deal with it
- Eliminate the use of tape for data that you potentially will need to erase (disk and cloud are better alternatives)
- Where possible dispose of legacy backup tapes and fully content index any retained tapes (so they can be easily searched)
If there is a breach determine if there was any PII or SPI data involved and report as appropriate
- If the exact details of the data are not known restore it and review
So in conclusion investing in market-leading IT security, data protection, and analytics solutions will make the job of the Data Protection Officer (or equivalent) much easier.
- Includes files, E-Mails and SharePoint (the same applies for structured systems, but it is assumed they have native search and erasure capabilities)
So there you have it, hopefully a useful summary of how GDPR is going to impact every organisation big or small – for me, the net result of all of this will be that it will force all organisations to improve their data governance which has got to be a good thing.
One final thing – the government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
If you want to learn even more then read the excellent overview from the Information Commissioner’s Office (ICO) available at https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/