What this means for your organization
If your organization does business with any organizations or individuals in the EU, you have already had to make significant changes to how you process, manage, and store the data of EU residents. Prepare now to provide many of the same sorts of protection to your US and Canadian customers. Here is a quick checklist of the things you will need to do:
1. Implement a comprehensive, integrated security strategy. It has been said that there cannot be any data privacy without good data security. Because of that, you have to start by ensuring that any PII data your organization touches is secured from the moment it enters your network to the moment it leaves. This includes applying security measures and policies that can seamlessly identify, follow, and secure data as it moves between network domains and devices, including across multi-cloud or SD-WAN environments, as well as into your storage area network (SAN).
Security plays a critical role in helping you know where every bit of data is located and who and what has access to it. An integrated security framework allows all security components to see other devices, share and correlate information between them, and participate in a coordinated threat response. It needs to be woven into and across every aspect of your evolving network to enable things like unified policy creation, centralized orchestration, and consistent enforcement. This approach allows you to extend visibility deep into your infrastructure to see every device, track every application and workflow, and more importantly, see and secure all data. It also allows you to demonstrate compliance with regards to protected privacy requirements and the verification of its secure storage, use, and removal.
2. Change what and how you collect PII data. New privacy laws such as GDPR define individuals as the sole owners of their data, and not businesses or institutions. As a result, these individuals must be able to withdraw their consent to the collection of their data as quickly and easily as it was given. This will require organizations to collect only the minimum amount of data needed for a specific purpose, and to then be able to completely remove it when it is no longer needed.
3. Reorganize your data so that PII can be easily identified, flagged, and deleted. Be prepared to demonstrate to compliance officials that you can prevent specific data from being shared or sold to third parties and that you can remove all instantiations of an individual's PII regardless of where it is being stored or used. For larger organizations, this is not a trivial task. It will require significant retooling of databases, rewriting software applications and websites, and redesigning internal processes to simplify and accelerate internal processes to identify all data related to a single customer. The GDPR’s “right to be forgotten” (RTBF) means that data needs to be found and removed quickly and easily, rather than relying on humans to hunt for each instance of personal information scattered across your distributed network.
4. Encrypt PII to ensure that if possesses no risk if compromised. You should consider encrypting data in transit and at rest in your network. Encryption negates the value of data if it is compromised. But encrypting large volumes of data is no easy task. Organizations should consider ability of encryption performance and any associated degradation of performance.
Summing Up
New and looming data privacy legislation reflects growing public concern about the protection and personal ownership of PII. Data Privacy Day is an urgent reminder that every organization that touches personal data needs to re-evaluate its IT security infrastructure. Are your IT security solutions able to effectively communicate, regardless of where they have been deployed, to optimally protect data and provide network-wide visibility? Does your network include sophisticated data-protection measures such as threat prevention and detection, pseudonymization of PII, and internal segmentation to isolate and track customer and employee data? And finally, have you documented, and more importantly, tested your data-breach response plan?
No comments:
Post a Comment