In the 21st century, two forces have come to dominate our lives – the global economy and cyberspace. The number of Internet users in 2017 reached 3.9 billion people – more than half of the whole population on the planet. Obviously, that means nearly all companies have changed their business model and most of the services they provide are now online. At the same time, they’ve converted all customer personal data and financial information to electronic format. This shift made the data the most valuable and sensitive asset for the business – more than anything else.
As a result, the business risk matrix has changed. And now, considering new threats coming from cyberspace, all corporations should treat their information with more care and caution than ever before.
The time of the wild west is gone and no one is robbing the stagecoach anymore. Now, everything is happening quietly and imperceptibly, behind the curtains, in the Web. Criminals do not steal money. They are coming for information.
Therefore, to stay safe and to protect the business, companies need to review and revise their existing approach to governance of risk, security, and privacy of data. And it is not an insignificant or a quick process. Governance should be a comprehensive reorganization that will include review and approval of the top-level policies, roles and responsibilities, and annual budgets related to information security.
Currently, the situation is much worse than we would like and regretfully, much information that we trust and use throughout the corporation is totally under protected. Just have a look at this list of 2017 data breaches (the worst so far):
E-Sports Entertainment Association (ESEA), Xbox 360 ISO and PSP ISO, InterContinental Hotels Group (IHG), Yahoo!, Arby’s, River City Media, Verifone, Dun & Bradstreet, Saks Fifth Avenue, UNC Health Care, America’s JobLink, Deloitte, FAFSA: IRS Data Retrieval Tool, Chipotle, Sabre Hospitality Solutions, Gmail, Bronx Lebanon Hospital Center, Brooks Brothers, Washington State University, University of Oklahoma, DocuSign, OneLogin, Kmart, Deep Root Analytics, Verizon, Blue Cross Blue Shield / Anthem, California Association of Realtors, Online Spambot, TalentPen and TigerSwan, Equifax, U.S. Securities and Exchange Commission (SEC), SVR Tracking, Sonic, Whole Foods Market, Disqus, Hyatt Hotels
(source: https://www.identityforce.com/blog/2017-data-breaches).
These breaches do not look very good and they make me worry. But let’s be honest with ourselves: there is no chance to build an unbreakable system and provide 100% protection for our data. Any system can be hacked, but nevertheless, it is the responsibility of each company to understand what must be done in order to avoid what can be avoided, and prepare for what can be prepared for, as well as to oversee the implementation of such countermeasures.
Eventually, what we are striving for, is to give people back control over their personal data. And, to give them confidence that organizations will identify – and quickly fix – all data breaches, with minimal impact.
This is the main goal of the new European regulatory policy named the General Data Protection Regulation (GDPR). And to explain what the GDPR is and how it will help to protect our information, I’d like to use an analogy.
Let’s imagine that every data item (customer name, postal code, insurance number, or bank account number) is like one drop of water. And depending on the type of data, its criticality, quality, and other characteristics, these drops can have different colors, flavors, sizes, etc.
In this case, our source systems will look like water tanks and data integration flows will be like water pipes which will transfer water between them.
Let’s also assume that the company’s processes are like water taps or valves in different parts of the water pipes and they can do different things, like:
- Run a stream of water of different types through different pipes from/to different tanks or stop such streams
- Fill the tanks with the particular water type from external sources or drain the water
- Fill user containers with water from different tanks and with predefined colors and flavors etc.
No Data = No Water = No Life
And the challenge is how to maintain and protect our plumbing, from both inside and outside.
If you are reading this article, I can assume that you are familiar with data governance concepts; I will not dwell on this topic in great detail. Let’s just assume that our water is very clean and we know how much water we have, where we store it, where it comes from, and where it goes. Suppose we also know who took responsibility for the water and who will solve the problem with its quality if necessary.
So let’s talk about security aspect and how the GDPR will help to protect the water.
You may remember that our water can have different colors, flavors, and taste. So, like in the real world, this means that we need to treat different types of water in different ways. For example, the water with a whiskey taste needs better protection (it’s a more expensive liquid), it can’t be accessed by everyone (because of age restrictions) and whiskey can bring more value than orange juice (no need to explain why).
So, in our case, GDPR will be a set of rules and policies that intend to strengthen and unify water protection and its consuming processes, considering every particular type of water. To make my point clearer, I will share a number of common questions that GDPR is taking care of:
- What types of water do we have? All types of water need a category.
- What types of water are critical and require enhanced security levels?
- What water taps or valves (=processes) do we have, what is the main purpose or function of each of them, what do they do, who owns them, and who can use them?
- Which types of water do each particular water stream use? Which water taps or valves can impact these streams?
- What water belongs to customers or relates to them, where do you store it, and which streams can use it?
- What is the process of water sharing? And what water are we already sharing with people?
- What is the impact of a water leak or unauthorized access to each particular water type, water tank, or water tap? And what do we need to do in the case of an emergency?
- Which security controls do we have in place?
- When was each of the existing water taps last checked? You should revise them every three years at least
The list goes on.
I believe you will agree that these questions are quite obvious and very reasonable. And I also believe you will agree that companies need to raise these questions in order to protect their information, even if the GDPR regulation does not apply to them.
Have a look at our 5-minute quiz to get a feel for the key aspects that the GDPR addresses and whether (or not) they apply to your business.
The GDPR is not rocket science. It outlines very simple and concrete things that organizations need to do for proper data privacy. Yes, it will definitely take time to implement, and the first steps will be quite difficult and resource intensive. That is why Collibra released the Data Governance Accelerator for GDPR that will reduce your efforts on the first phases of the GDPR implementation and will speed up the process in general.
Before you go any further, make sure that the decision of whether or not to implement the GDPR – and who should do it – involves a cross-departmental group. Why? Because if it turns out that your organization must implement the GDPR but you do not do it before May 25, 2018, your company may be fined up to 2-4% of its global revenue.
But if you are ready to start the GDPR compliance journey but do not know where to start, here are a couple of useful links that will help you to begin:
- Read more about the GDPR, find links to Videos/Webinars, and download whitepapers, e-books, and data sheets
- Go to Collibra University to access the unique course for beginners “Introduction to GDPR with Collibra”
- Request a demo of Collibra Data Governance Center solution for the GDPR and to discuss best practices of the GDPR implementation
People can live without water 3 weeks. Can business last without data longer than that?
