To Simplify GDPR Compliance, Reduce Your Attack Surface

One month from today, Europe’s General Data Protection Regulation will take effect, and the security strategies prepared by organizations around the world will be put to the test.

The GDPR presents a complex challenge, creating new rules for corporations and new rights for the individuals whose data those corporations collect and process. The more data an organization has, the more difficult it will be to meet that challenge.

The GDPR was enacted in response to the exponential growth of data over the last two decades, and the increasing frequency and severity of data breaches, so it stands to reason that the law would place a larger burden on organizations who handle massive amounts of information. Though it may sound like a step in the wrong direction to data-hungry organizations, reducing the amount of data you collect and store can reduce the chances that you'll have to deal with the financial penalties and lost consumer trust that would follow in the wake of a security breach.

Moving data out of the EU’s jurisdiction, as Facebook did last week, is unlikely to be a good long-term solution. The GDPR was mentioned frequently during April’s congressional hearings on Facebook and Cambridge Analytica, signaling that a US version of the GDPR may soon be in the works. The better move is to address the threat directly, by limiting the amount of data you control, exposing as little of that data as possible to theft or misuse, and protecting sensitive data with the strongest possible security.

Keep sensitive data where it belongs

As we’ve noted in previous posts, structured data will pose a relatively minor challenge when it comes to GDPR compliance. A typical enterprise database is actively managed by a team of administrators, who use tools designed for precisely the sort of tasks that will be necessary under GDPR— reporting on the types and amounts of data an organization maintains, and deleting data on specific individuals. As long as a database is adequately protected (including field-level encryption for sensitive data), it is unlikely to create unpleasant surprises for the organization that owns it.

Unstructured data—data stored in files—is a different question. Once data is extracted from a database and saved in a file, it becomes much harder to manage. Employees often save files in inappropriate locations, share them with unauthorized users, and fail to protect them against theft or misuse. Many of the most embarrassing and costly data breaches in recent years have involved files compromised by careless employees.

The best way to manage the risk of sensitive data on employee computers, file servers, and cloud accounts is to remove data that shouldn’t be there in the first place, and encrypt the data that remains. Organizations can accomplish this by using Smartcrypt to scan desktops, laptops, and file shares for files containing sensitive information, and protect (or delete) those files based on pre-defined policies.

Update your data retention policy

Data retention has emerged as one of the recurring themes as organizations around the world make their final preparations for GDPR.

Even though the GDPR’s provisions regarding data retention aren't significantly different from the current EU Data Protection Directive rules—organizations are expected to ensure that "the period for which the personal data are stored is limited to a strict minimum," and to establish timelines for data deletion—the prospect of heavy GDPR fines is changing the way many companies think about retention.

When an organization holds on to outdated information, it not only increases the burden on its storage and transmission resources, it makes itself a larger target for hackers, spies, and careless or malicious insiders. The only thing worse than paying 4% of your annual revenue to a GDPR supervisory authority would be paying 4% of your annual revenue to a GDPR supervisory authority for mishandling data that you didn’t even need in the first place.

The GDPR is an ideal opportunity for organizations to bring together their legal teams, IT security teams, and other stakeholders to review and update data retention policies. By defining criteria that determine how long different types of data should be retained, companies can ensure that they hold on to truly critical information while ridding themselves of unneeded data that only has the potential to cause problems.

PKWARE’s Smartcrypt is the only data security platform that integrates data discovery, classification, and protection into a single workflow. With Smartcrypt, you can find, protect, and manage sensitive data across the entire organization from a single point of control.