The EU General Data Protection Regulation: Prepare for change

(c)iStock.com/xijian

The EU’s wide-ranging rules on General Data Protection Regulation (GDPR) are set to significantly impact all businesses, whether in the EU or further abroad. From 2018, any organisation that collects, uses or shares personal information about European citizens will have to demonstrate compliance with the hotly contested law. This includes using various techniques to ensure that the protection of data is built into the design and infrastructure of an organisation by default.

Securing the data deluge

In an always-on, hyper-connected world, most people think of their data in terms of the live systems that hold their information. In reality, that is just the tip of the iceberg. Data is in fact being copied over and over – for development, testing, quality assurance, training, financial reporting, business intelligence and more. In addition, data is often accessed by third parties, contractors and consultants in other locations or countries often requiring only a username and password to secure access.

However, the EU GDPR will change all this. Moving forward, a software developer will need to be as security conscious as a database administrator – a concept that is likely to be foreign to them. Whilst there is already some level of data protection and ownership within organisations, the new regulations will spark an increase in the education, training and tools required to prove compliance with what is and isn’t allowed.

Introducing the carrot and stick

The new regulation cautions that any personal information needs to be “pseudonymised” so that the person is no longer identifiable, essentially introducing a ‘carrot’ and ‘stick’ approach. A ‘carrot’ recommending pseudonymisation at specific points and reducing certain obligations on those businesses that follow this approach. A ‘stick’ in the form of a threat surrounding the penalties for businesses that are non-compliant.

Moving forward, a software developer will need to be as security conscious as a database administrator – a concept likely to be foreign to them

For many enterprises, this will mean that they need to re-architect operations to accommodate a data-first approach.

Currently, Delphix estimates 90% of data resides as copies in development, testing and reporting shared environments. The first step will be understanding where all the data sits in both production and non-production. The second step will require technology that has the ability to scale and protect all data, not just those bits of information that are the most sensitive.

This will require an investment in new technologies, for example data masking, that can pseudonymise data once and ensure all subsequent copies have the same masking policies applied. However, in the event of a data breach, the cost of these investments is likely to pale in significance when compared to the potential fines of 4 per cent of global turnover.

Conclusion

Given the ever-increasing occurrence and severity of data breaches, it’s becoming more and more important that customers feel their vendors are advocating a data-first approach. This means setting a data protection strategy that covers the entire organisation and reduces the risks to any individuals that are victim of a data breach.

By advocating the adoption of precautionary measures, the EU GDPR goes some way toward ensuring personal information is protected or rendered useless for any successful cyber-criminals that breach fortress walls. It also better protects organisations from the fallout that any data breach has on their finances, resources or reputation.