On May 25, 2018, the European Union officially enacted the General Data Protection Regulation (GDPR), which will have a transformative effect on how companies manage and secure personal data. The GDPR marks the biggest change to EU data privacy laws in more than 20 years and applies to any organization worldwide that collects and stores personal EU citizen data such as health history, financial information, and the like. Further, still more privacy regulations are cropping up around the globe, making data privacy and protection perhaps one of the most pressing industry evolutions in years to impact CISOs.
If you’re reading this, chances are you already know the basics about GDPR and are starting to comply with – or, for many, developed an IT roadmap and begun execution toward that plan – the key elements of GDPR. Most organizations have naturally gravitated toward leveraging analytical tools to map what data they have and then classify a subset of the information they manage that is personal data, and thus responsive to GDPR as a first practical step toward compliance. Other IT projects in full flight are likely to be encryption, breach detection, and breach prevention to ensure citizen data is appropriately protected.
What may not be as much on your radar at the outset, but is equally important to organizations complying with GDPR, are implications to various other (broader) IT strategies that are likely in flight at the same time. One clear example is Hybrid IT or leveraging a mix of on-premise and cloud-based solutions to drive cost efficiencies and productivity within the company.
Leverage hybrid IT
Hybrid IT is generally a smart strategy for organizations of any size, and there are countless examples of the benefits of pursuing such a tack. It is important to note that there is also risk associated with pursuing such a path forward, especially when GDPR comes into play. The less control you have of your data and asking a third party to manage this information in the cloud on your behalf equates to just that, the more risk you have of letting personal data accidentally become exposed.
For example, many organizations have begun using cloud-based solutions like Dropbox or Box for collaboration. It’s certainly easy to share information with colleagues with a click of a button, but that simplicity is also what can become a potential cause of risk – e.g., a user may not look at every last line of a data object they’re sharing and miss some personal data embedded within it. Absent deep, finely tuned analytics to scour and flag potentially responsive data in advance, a well-meaning end user can easily put his or her organization at risk of falling out of compliance with GDPR in a matter of seconds.
Other hybrid strategies, such as archiving and content management, which leverage cloud-based repositories for long-term data management and governance, can pose risk of accidentally exposing personal information as well. Many of these solutions, particularly those leveraging public clouds on the back end, can be breached if the right controls aren’t in place. (Note: also make sure you understand data sovereignty requirements in various regions like Europe, which may have strict policies about data leaving a country’s border, when determining where you’ll store data in the cloud.) And of course, data that is in transit to a cloud-based repository is vulnerable as well, unless it is locked down with encryption or similar technology.
Mitigate the risk
Fortunately, it’s not all doom and gloom for Hybrid IT when you look at it through a privacy lens. Here are a few best practices to help you mitigate risk:
- Choose trusted, proven technology that has breach prevention and notification capabilities built in to assist with your hybrid IT strategy.
- Select a software vendor that can speak directly to your specific GDPR needs, and has a codified strategy in place.
- Establish organizational policies for sharing information through cloud-based repositories, noting the consequences of accidentally sharing personal information, and educate across the organization.
- Leverage encryption technology to secure data in transit, ideally format-preserving encryption technology so it’s optimally protected, but also optimally useful, when it comes time to gain insight (as appropriate with respect to GDPR) from that information.
- Use file analytics (or structured data archiving) software to periodically map and audit information being stored in a cloud repository and to identify and flag potentially sensitive information that may present risk.
Armed with the above, not only can you help your organization take advantage of all the benefits of a hybrid IT strategy, but you can also embrace GDPR compliancy and protect the things that matter most to your company: your data, your customers, your business, and your reputation.