One of the challenges of achieving GDPR compliance will be securing Personally Identifiable Information (PII) held on laptops and other mobile devices. It is harder to track and at a greater risk of being compromised because it is not behind the company firewall.
The solution is to take a strategic approach to data protection and adhere to good overall cyber security. With the basics in place, organisations can then consider whether they need to add specific tools to ensure that PII on mobile devices is protected.
Step one is to understand whether your organisation actually holds any PII apart from payroll and HR records, which should already be held securely. If the answer is yes, you need to audit how and where it is located.
Our analyses across a wide range of organisations suggest 18-20% of data is typically held in specific applications such as databases, CRM systems and internally developed applications, which are relatively straightforward to identify. You can take specific steps to protect this data, such as identifying how many times a database has been copied and where those copies exist, using common internal search tools. Any copies on mobile devices can be moved to secure internal storage or deleted unless they specifically have to be on that device.
Some of the remaining 80% will be semi-structured data in applications such as email, or organised using SharePoint or other file and content management applications. The rest will be unstructured data, normally held in file systems – which needs the most attention.
Now consider whether you actually need to do anything extra to protect this information. If most of it is proposals, reports and technical material, the only PII is probably the name and job title of the recipient, which would normally already be publicly available through LinkedIn or similar. In other words, there is not a significant GDPR risk and normal good security practice will be appropriate. The same is true for emails to customers, and a reasonably sophisticated email application such as Exchange with suitable compliance enabled or a third party product to do this will enable you to search for and identify items that needs protection or archiving.
You can now segment your data and store it according to business value and sensitivity, using GDPR compliance as one of the factors. If you do have a significant GDPR risk from unstructured data we recommend implementing active data management using, for example, Data Loss Prevention (DLP) or digital rights management with active search and e-discovery to index stored data and identify where PII may reside.
If data is distributed across multiple servers and locations, consolidating it will make it easier to index. Druva estimates that around 40% of company data never reaches the central IT platforms. Tools such as Commvault Simpana and Druva inSync enable indexing for all backed up data, and can be a useful starting point in identifying the size of the issue.
With your PII located, you can put appropriate policies and protections in place. Working towards recognised standards such as certification from the government backed Cyber Essentials scheme will demonstrate that you have implemented proper data controls. Active data management needs to be accompanied by a data protection policy that sets out clearly who can open, read and download specific types of information, and everyone in the organisation needs to be trained to follow this policy. Once all users have been informed, the policy should be rigorously enforced.
It is worth remembering that the value of data may not be in specific items of data but in making the links between them, so the data protection policy should address how to manage and secure these links.
Now you can consider any PII that remains on mobile devices, from laptops to smart phones. Again security policy is vital. This must be realistic, unambiguous and enforceable, while avoiding violating personal privacy laws. Tools can assist with data identification and protection, but the priority should be to minimise the amount of data transferred to or held on the device. This can be done in several ways: virtualising applications and streaming them to the device; allowing access but implementing a policy to prevent users downloading sensitive organisational data; or mandating Mobile Device Management (MDM) on all mobile devices to remove corporate data if the device is lost or stolen, using encryption to secure sensitive data.
Software tools such as Druva inSync can scan files and data as part of the device’s backup and recovery process to identify potential PII and other sensitive data. Once located, data can then be protected or deleted in line with company policy. This capability is available as a service from organisations such as Fordway, and in addition to backup and restoration offers compliance and legal hold with scalable, encrypted backup storage.
GDPR is primarily a business issue, not a technology problem. Technology can help by providing useful search and archive tools but organisations should begin with a clearly defined and well understood GDPR adherence policy, with appropriate business processes to ensure compliance and continual good cyber security discipline.
By Richard Blanford, managing director, Fordway
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/