Data Management’s Place in a GDPR Compliance Strategy: Don’t Lose Sight of the Forest for the Trees

Posted on by Peter Merkulov

One year remains before the European Union’s updated data security and privacy protection law, the General Data Protection Regulation (GDPR), goes into effect in May of 2018. Early indications are that companies doing business in or with the EU are taking the deadline seriously. Earlier this year, a PwC survey found that 92 percent of U.S. businesses had given GDPR compliance top priority for their IT security plans—and budgets. The PwC survey said that budgets dedicated to GDPR readiness were set at $1 million or more. 

There’s good reason for companies to take early and decisive action. In the event of a data breach, companies found negligent of their responsibilities under GDPR may be subject to fines amounting to four percent of global revenue. That’s enough to make any sensible CISO sit up and take notice—but one must not allow the gravity of the impending law to result in compliance shortsightedness and become so focused on security’s trees that the forest of a comprehensive data management strategy is lost. 

Data management is an often-overlooked aspect of information security and compliance. Yet, given that a key aspect of GDPR compliance involves moving data securely between borders where the laws may differ, proper data management is vital. It has been suggested that keeping data centers isolated within the appropriate jurisdictions is one solution to this challenge; this is a symptom of compliance bias. While segregating data in specific jurisdictions may meet compliance requirements, the fact is that many organizations simply cannot take this approach. The efficient flow of data is integral to global business operations and sequestering clusters of regional data in multiple locations is likely to create inefficiencies—and even increase risk by the introduction of unnecessary complexity in a global data management scheme. 

Instead, consider how the elements of a comprehensive data management strategy will help your organization to achieve compliance while complementing the efficient and secure movement of all data, including protected personal information that falls under the aegis of GDPR, high-value intellectual property vital to the success of your business and the day-to-day transactions on which operations rely. Here are some of those considerations to enhance compliance programs:

  • Data Mapping: To protect data you must know where it is, where it is headed and the route it will take to get there. Any visibility gaps present in that route mean data is at risk.
  • Secure Systems and Infrastructure: While this should go without saying, an imbalance of reliance on security tools—perimeter defense—without also ensuring a secure infrastructure means your data is defenseless once a hacker manages to penetrate the network.
  • Integration: As networks grow, they grow more complex and complexity is the enemy of security. Poor integration can result in technical glitches that can be exploited; tight, streamlined systems integration keeps a network more secure.
  • Process Automation: Human error remains one of the biggest factors in security failures and data breaches. Process automation takes the human factor out of the equation and minimizes the chance of someone having a bad day. 

Of course, for a data management strategy to enhance regulatory compliance it must be complementary to whatever efforts an organization has underway to meet the requirements of GDPR—or any data protection or privacy regulation. That means close coordination between the legal and compliance teams drafting the plan and applicable binding corporate rules, the CISO overseeing the acquisition and implementation of security tools and the CIO in charge of making it all work, is key. 

If, as PwC found, your organization is investing 12 months and seven-figures in a compliance program, it would be a shame to learn the hard way that a security tree fell in your forest and the regulators heard it crash.

Peter Merkulov

Vice President of Product Strategy and Technology Alliances, Globalscape

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community