The impact of the GDPR means that you not only are going to have to protect more types of data in the future, but expend more effort in identifying existing data that perhaps wasn’t considered PII before. Vecci says, “Before even if you had PII from one of the EU states, what you had collected might not have been considered PII in that country. Now, all of sudden starting in May, it is PII.”
GDPR-impacted companies will need to identify, to the best of their abilities, information that was not tracked or indexed before. For example, a recorded customer support call may need to be located, protected, tracked, and reported.
What are the new user rights for PII?
Documented “opt-in” consent must be given for every person (or their legal guardian). The consent must explicitly identify the data collected, what it is used for, and how long it will be kept. Further, participants can remove their consent at any time and request that their personal data be deleted (as long as they supply one of the approved reasons).
Under the GDPR, individuals may also control what happens with their PII. Besides the ability to request that it be deleted, they can get factual errors corrected, see what data of theirs is stored, and even export it for their personal review and use. These important rights are net new for most organizations.
Vecci sees most companies initially just trying to understand how big of an GDPR issue they have. They don’t know what they don’t know. They need to find out where the data is stored and whether it is covered by GDPR. Then they have to least-privilege protect it and track it. Luckily, my company Varonis has been doing exactly that since the beginning. We specialize in not only finding the data, but determining who has access to what, and whether they need access to the data. With other data protection regulations it was enough to keep the data safe from the outside. Now it has to be better secured on the inside, because Article 25 of the GDPR says the data has to be least privilege protected by design and by default. And you can’t do that without first understanding where it is and who can access it.”
How does the GDPR affect the structure of security teams?
The GDPR defines multiple roles with rules and responsibilities for each role. A data subject is an individual whose personal data is being collected. A data controller is the organization that collects the data. A processor is an organization that processes the data on behalf of a data controller. Controllers and processors must maintain written records of what data was collected, how it was appropriately collected, how it was used, and when it was disposed of.
Sign up for CIO Asia eNewsletters.