Much of their attention appears to be focused on the headline-grabbing parts of the regulation, including the right to be forgotten and the ensuing email marketing apocalypse that looks destined to occur.
But there is a lot more to GDPR than that, and there are plenty of areas within the IT estates of the average enterprise that could trip some organisations up when it comes to achieving compliance.
One such area includes their legacy backup infrastructure. Any company with a multi-generational data backup routine may find they unintentionally fall foul of GDPR.
For example, if those tape or disk backups contain email, that means they are covered under the GDPR regulation, making it the company’s responsibility to ensure that data can be removed or modified as needed from all those backups.
But it’s not just about the robustness of the hardware here – their software also needs to be able to read this data.
The cornerstone of getting that right is to ensure there is a good remediation policy and that it is enforced. Not doing so will mean continually having the same issue. Good retention policies for email will also help manage consumption of resources as a positive by-product.
On this point, if organisations have boxes of old tapes lying around, all the information on them will need to be retrieved and categorised so it can be searched through.
There are several companies that offer import services for old tapes that cannot be read, but (thanks to GDPR) there is quite a waiting list.
Start caring about network sharing
Another area that enterprises need to pay attention to is the files stored on shared networks, as they also need to be protected and secured, but they also have a shelf life.
For example, are those documents (and the information they contain) that a former employee created several years ago still valid and need to be retained?
Employees also have rights under GDPR to see what information is held about them, and how it is being managed. Keeping information on employees who left many years ago is also covered.
It is a good idea to create a guidance document about this and share it with employees so that they know and understand how the information is used where there is a reasonable and lawful need.
The risk of removable media
A major part of GDPR is that companies must ensure that reasonable care and attention is taken to safeguard information.
USB sticks are bad news in this respect, particularly when left in the hands of staff who aren’t GDPR savvy.
While laptops may – and should – now incorporate full disk encryption, USB and external media usually has no such protection in place, and such important data security cannot be left in the hands of rank and file users. Individual ignorance of GDPR is no defence when a company gets caught out by such an issue.
As it happens, some media suppliers do have (relatively) easy-to-use encryption tools. Depending on the use case, this may suffice, but whatever you do, make sure that data is managed and locked down.
Similarly, make sure those cupboards are ransacked for old disks, data CDs and USB pens so that there is no data left “hanging around”.
Technical solutions to restrict data transfer will only get a business so far. All staff that are exposed to data of any type need to have GDPR training so they can understand the requirements and risks around data security.
Data loss is not a good thing to have to confess to and there is a requirement to disclose data breaches built right into the GDPR framework.
There are also some generally-accepted business practices that could see organisations upset regulators. For example, at a supplier conference, if a company is offering the chance to win a free iPad in exchange for a business card, as soon as that information is harvested and entered into a database, it starts to present issues.
Did the user actively consent to going on some database or potential mailing list? Moving the data from a piece of card to a database ups the data protection regulation stakes dramatically.
Monitoring the source and flow of information is important. While it is all too easy to spin up a new cloud instance, who verifies and controls the data that ends up on that server? Moving data around without proper process or creating ad-hoc servers opens up the company to risk.
You only need to look at the data compromise incidents that has occurred recently within Amazon Web Services’ (AWS) S3 storage buckets to understand how easily control over information can be lost.
A major goal of GDPR is to get enterprises to reflect on how they do business and the consequences. Really, companies should be doing this already but many are not, and – in time – correct personal data management will become a business driver.
Don’t forget the embarrassing fate that befell Yahoo when its breach was discovered – the write down on value for its sale to Verizon shows just how expensive data loss can really be.
Read more about GDPR and infrastructure
- Even if your cloud provider already complies with GDPR, you can’t just take a backseat. Know what the requirements are and whether they apply to you -- or risk hefty fines.
- Everton Football Club has struck an IT security deal with Netskope to help safeguard player data stored online, as the club pursues a cloud-first strategy.