By Erika Lee
If 2018 was the “The Year of Privacy,” then 2019 is poised to be the year of “privacy self-defense.” Protecting privacy is the responsibility of the consumer, as well as the responsibility of the companies those consumers trust with their data. In 2018, consumers realized trust isn’t enough.
The General Data Protection Regulation (GDPR) – coupled with high-profile lawsuits and government hearings involving the world’s largest social media, eCommerce, and Internet search companies – has enlightened consumers.
More people now understand the vast number of ways their personal information and behavior data is being used and the ease with which it can be stolen from the companies using it. These consumers want to regain control and, fortunately, myriad regulations being introduced worldwide are giving them ways to do just that.
The threats of fines, sanctions and losing customers have driven companies to shed blood, sweat, tears and money, as they work to optimize compliance and information security. Because a data breach is the primary trigger for backlash, cybersecurity practices usually get all the attention. When you read about protecting privacy, you often see top 10 must-have lists, including things such as network segmentation, network monitoring, role-based access, data leakage protection and employee training. But you rarely see anything related to:
- Content-aware governance practices
- Extending governance and privacy protection enforcement to unstructured data sources
- Collaboration across security, IT, legal, compliance and business stakeholders
However, if you don’t know what sensitive data you have, where it lives, who has access to it, and whether it even needs to be in the production environment, how do you optimize security and compliance? Content awareness, more efficient means of detection and remediation, and collaboration across stakeholders are key “must haves.” These things are the difference between living in an endless cycle of reactionary whack-a-mole and assuming a more proactive compliance and security posture.
Here are some things to consider:
1. Minimize: In addition to collecting only the personal data you need to conduct business, you need to minimize the personal data you already have. Find obsolete personal data on end-user computers, shares, servers and even in email. Employ a technology that allows you to quickly separate what you can dispose of from what requires special handling and retention.
2. Protect, monitor and manage employee data, wherever it lives: Identify the employees who have access to personal information and actively manage their data. End-user computers and email are high risk and hard to manage from a privacy protection perspective. Additionally, unstructured data center systems and cloud data is key because these sources are also frequent locations of personal data spillage.
- Back it up
- Maintain continuous visibility and risk profiling across these data sources
- Enable remediation mechanisms to archive, erase or quarantine personal data
- Remediation should include review and approval for collaboration with data owners and compliance stakeholders
3. Prioritize: Understanding where your personal data lives, beyond the known structured repositories and being able to visualize the presence of personal data across those sources, will allow you to prioritize your security and compliance readiness efforts. Tackle highest risk first.
4. Reduce your data silos to minimize your information risk footprint: Gaining visibility and control over the sources discussed above often leads to organizations implementing a bunch of disparate tools. This can create several additional data silos, all of which need to be managed, monitored and secured. This actually increases your risk footprint. Commvault allows you to consolidate the following operations:
- Backup and recovery
- Information risk profiling
- Archiving and compliance retention
- eDiscovery and investigative search across file systems and email to respond to GDPR data subject requests and other regulatory requests
- Data spillage detection and remediation
5. Enable erasure of personal data from unstructured systems and backups: GDPR introduced Right to Erasure, and we can expect subsequent privacy laws to meet the same standard. If a customer asks you to erase their personal data, you need to ensure it’s erased not only from structured systems, such as your CRM, but from unstructured systems, such as end-user computers and shares, as well as the backups. Why backups? You want to make sure you don’t accidentally restore that personal data, or you are putting your organization at risk.
6. Automate: In order to extend privacy protection to unstructured data and enforce your policies in a scalable way, it is necessary to automate processes, such as continuous discovery of personal data, collaboration workflows, remediation, and applying content-aware data policy to files and emails containing sensitive information. Consolidating the above-mentioned operations on a single solution that allows for API integration with third-party tools is an efficient way to automate many governance-related tasks that are often carried out manually today.