The backdoor to GDPR violations

By now you’ve heard about the General Data Protection Regulation (GDPR), the new European Union privacy regulation. The goal of GDPR is to protect the privacy of personal data given the rapidly increasing collection, analysis, storage and sharing of personal information.

To meet the goal for strong protection of personal data, some businesses will focus their efforts on core data processing platforms used to perform analytics. However, this is a flawed approach, as businesses should be focused on protecting personal data wherever it is stored, not just protecting the data processing platforms.

Effort focused on just data processing platforms alone, ignores the fact that personal data is transient. The personal data processed in any data analytics platform comes from other systems, and the results of the data processing are often exported to yet another platform. This reality means that organisations need to understand everywhere personal data resides, and the risks associated with each instance of that data, particularly the repositories containing unstructured data.

For example, the Colorado Judicial Department recently suffered a data breach when sample data (including Social Security Numbers) from a juror system was exposed on a public web portal. Imagine the layers of network security, database security, authentication and access controls that were easily circumvented by a user simply exporting data from a database and posting it on the Internet. This is a real-world example of why organisations need a data-centric approach to GDPR compliance that relies on thorough and continuous data discovery.

Never underestimate how easy it is for highly sensitive personal data, stored in a database behind multiple firewalls, to suddenly appear in an unstructured format (e.g. Office document) on a much less secure platform. It’s not a case of if or even when, it’s the nature of where unstructured sensitive data resides.

Businesses need to find all the GDPR regulated personal data in their environments. Just focusing on data analytics platforms ignores a large portion of the GDPR compliance risk, and heightens the chance of a data breach.

Do you know where all your sensitive data is right now?

September 11, 2017