Story image

Managing the information paradox in the NDB/GDPR era

26 Jun 2018

Article by M-Files Australia and New Zealand alliance and partner director Nicholas Delaveris Recent legislation in Australia and overseas puts more stringent requirements around businesses collecting and retaining personal information.

The Australian government’s mandatory notifiable data breaches (NDB) scheme and Europe’s General Data Protection Regulation (GDPR) both demand that organisations protect individuals’ data and notify the appropriate authorities if a breach happens.

While GDPR is primarily a European law, it applies to any business that interacts with a citizen of the European Union, which means many Australian businesses will be affected.  This creates a paradox for businesses who both rely on information and need to protect that information.

Compliance with these new pieces of legislation demands that businesses have unprecedented visibility into the information they collect and store and that they be able to demonstrate how that data has been treated.  Businesses need to make information available at the right time on any device so employees can do their jobs.

But they also need to control that information and make sure no unauthorised person can access it.

These two goals have traditionally been somewhat incompatible.

To overcome this issue, businesses need a solution that helps manage compliance and audits, while making it simple for people with the right permissions to access the data they need.

Compliance is mostly about being able to demonstrate control.

It’s about being able to identify who has accessed information, whether they’ve edited or shared it, and when.

Flat file stores are hard to control and, as people leave and join the business, keeping track of access permissions and history gets tangled. Businesses, therefore, need to take a process-based approach to becoming compliant with NDB and GDPR legislation.

That means taking a step back and gaining an overarching view of data including where it resides and what policies apply to it.

Everyone in the organisation should understand how data needs to be managed and be able to comply with those requirements.

This should be an ongoing process.

Privacy-related legislation tends to include requirements around what personal data can be collected and retained and for what purposes, as well as how businesses must respond to requests for that information either from the individual whose information is stored or from third parties.  Businesses need to be able to react fast and appropriately when they receive requests for data.

They need to know what data can be shared and what data must never be shared.

If a person requests their own data, the business must be able to provide it immediately.

It’s not good enough to say they couldn’t find it or they assume it has been destroyed; they need to be able to prove it. 

Organisations need a solution that tags the data with information such as whether it contains personal details, how long it needs to be kept for, and why it needs to be kept.

If it shouldn’t be kept, the organisation needs to be able to demonstrate that the data has been destroyed.

If the organisation hasn’t destroyed the data, it needs to be able to demonstrate that it’s keeping the data for legal and legitimate reasons.  Managing this process manually is difficult, and businesses can look at automation to simplify these processes.

The cost of trying to maintain compliance without an appropriate, metadata-driven content management tool is prohibitively high.

Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Norwegian aluminium manufacturer hit hard by LockerGoga ransomware attack
“IT systems in most business areas are impacted and Hydro is switching to manual operations as far as possible.”
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.
Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.