Preparing for GDPR
As IT moves towards mobile and cloud-based services, data will get spread more widely across the organisation. This shift from central IT to more ‘edge computing’ represents a big challenge when it comes to protecting data and meeting the requirements of GDPR. Preparing for this shift can help ensure that everyone’s data is protected across the business. Here are four steps to take in meeting GDPR:
- Audit your existing DR strategy and map this against the rules in the GDPR regulation. This process should show up any existing gaps that have to be filled in order to become compliant. This is the start for the project of being compliant around customer data, so it’s important to know what requirements will have to be met and where investment might be needed.
- Look at distributed data requirements, not just central storage. There are several ways to get more insight into how much data is stored away from the central systems. This could start initially with informal discussions for IT with groups of users around how they use and store data when they are outside the office; getting away from the department and touring the building can help open up conversations. Following this, IT can look at conducting more formal data discovery sessions if those are required. The aim here with these discussions is to increase the availability of data to users over time as well as making sure it gets adequately protected.
- Consolidate data storage where possible. One of the biggest challenges for compliance activities is to make sure that everything that should be included is in scope. Reducing the scope for data protection can therefore help make it possible to hit timescales for being compliant, as well as reducing the costs involved. Disaster recovery, backup and archiving services can all create multiple copies of files, each of which can contain customer data that are covered by GDPR. Reducing the overall number of copies of files can therefore help make compliance easier; however, this should not be at the expense of each use requirement. Migrating secondary storage over to public cloud platforms can assist in this deduplication of data while also ensuring that the data itself can be used for backup, recovery and archiving purposes.
- Take a more proactive approach to data compliance. Rather than looking to spot files that would be covered by GDPR after they are created, look at using more automated approaches to discovering and tracking use of data across the business. If IT can spot sensitive information as it is created, updated or altered across the organisation, then the appropriate steps can be put in place automatically. For example, a common type of sensitive data in the public sector would be a patient identifier. These identifiers would follow a standard format; if data matching this format is created within a file, whether this is on a corporate PC or as part of a cloud application, the file can be flagged at containing sensitive data and then the right backup and security rules put into action. For private companies, financial information would be the most common kind of data to protect, and similar rules can be created and enforced.
This proactive approach to compliance should help companies improve their standing when it comes to ensuring that GDPR compliance requirements are met across the whole business, not just within central IT. This can also help IT stop negligence by users from inadvertently breaking compliance processes.
The example of individual users running their own copies of customer databases is a common one, so tracking for specific data formats within user activity and then automatically applying the right data protection and security rules can help companies improve their compliance standing.