Is GDPR-Regulated Data Hiding in Pockets of Your Organization?

Data breaches that compromise critical customer information are the worry that keeps IT people up at night. Unfortunately, what’s considered critical customer information and what you must do to safeguard it has changed dramatically, thanks to GDPR. IT stakeholders at American companies who’ve assumed GDPR does not apply to them may want to take a closer look at what the implications are for U.S.-based companies. GDPR-regulated data can be found in places you might not expect, and the tools you’ve been using to keep track of that data may not provide the visibility you need in case of a breach.

Where does GDPR apply?

First off, don’t think because you’re an American company only doing business in the U.S. that you’re exempt. If you capture any data about an E.U. citizen, like one who stumbles across your website and sends a question through a contact form, you’re on the hook for GDPR.

So where does the data regulated by GDPR live in your organization? The short answer: everywhere your customer data lives and travels within your organization. That doesn’t just mean your CRM system. Employees routinely download and use personal customer information on their endpoint devices, even when company regulations forbid it. You may or may not be surprised to learn that the C-suite is the worst offender at this.

The scope of what is considered “personal information” under GDPR is much broader than you might expect. While most companies already take steps to protect sensitive information like credit card information or social security numbers, GDPR takes it much further and could signal a sea change in data collection. Specifically, any information that can be used to identify a person, like IP addresses and names, is covered under the regulation; however, GDPR is expanding the definition of sensitive data to include any data that could potentially identify a person. So, if you’re capturing it, it’s worth protecting.

What does data encryption protect against?

Many IT directors hit the pillow every night with the misguided confidence that their data encryption will prevent any GDPR-related problems. Unfortunately, that’s not always the case.

Data encryption is a useful tool if your data compromise doesn’t include credentials that unlock the encryption. But if your data is compromised because of stolen credentials, then encryption doesn’t matter. This can happen with stolen laptops, a common occurrence with company-issued employee laptops. It can also happen with malicious employee activity – if employees with valid credentials decide to exfiltrate data, encryption won’t do a thing to stop them.

What happens after a data breach?

Talk about sleepless nights for an IT director. For companies that experience a data breach, the hours and days after discovery are usually a mad scramble to assess what’s been compromised and by whom. The time and money spent to unravel the tangles of compromised data in an organization can add up fast. And GDPR doesn’t give you much time. You have 72 hours after discovery of a breach to notify GDPR authorities if personal information has been affected.

The problem for most companies is that they don’t really know where all their customer data is stored. A lot of it can end up on employee laptops and mobile devices. To truly protect their data assets, companies must have a firm understanding of where all their data travels and lives.

Data visibility

Being able to immediately and clearly locate customer data is critical to surviving a breach of GDPR-regulated data. A strong endpoint visibility tool can provide a quick understanding of all the data that has traversed through an environment—and importantly for GDPR, whether that data contains personal information.

An endpoint visibility tool can also tell you with confidence if compromised data does not include personal information that would fall under GDPR. That would prevent you from unnecessarily alerting the authorities.

Unfortunately, data breaches continue to happen, and there’s no sign of that abating any time soon. When the collection of consumer data is necessary, companies should consider it sensitive and use endpoint visibility tools to protect it.

Decoding the 72-Hour GDPR Doomsday Clock

Decoding the 72-Hour GDPR Doomsday Clock

The GDPR 72-hour reporting requirement has notable similarities to the insane ultra-marathons elite athletes run in the same time period. The 72-hour time limit requires companies to cover ground they’d typically take weeks or even months to traverse—kind of like running more than 300 miles in three days.

With data stored in unexpected places, that 72 hours can get eaten up quickly in trying to sort through where compromised data is stored. But with a robust endpoint visibility tool, which allows a response team to see the content of endpoint data clearly, the GDPR clock doesn’t have to spell doom.

What should you do if you discover a data breach?

Round up your response team. Depending on the size of your business, your data breach response team may include several dedicated personnel in addition to other key company stakeholders, or it may be a few individuals who do this along with their other duties.

Gather key information. Figure out what happened, what was the cause of the breach, and what type of data was compromised. This step is where companies that don’t have an endpoint visibility tool will see precious hours of their GDPR clock tick away as they try to determine what data was compromised. An endpoint visibility tool that provides clarity on the content of data will answer that question with confidence.

What if no personal information was compromised?

If, after using an endpoint visibility tool or another assessment process, you ascertain that no GDPR-regulated data was involved, breathe a sigh of relief. You don’t need to notify the GDPR authorities. You should, however, continue through your plan: clean up the data breach, close the holes that caused it, and notify any impacted customers.

What if GDPR-regulated data was affected?

Then the clock retroactively starts ticking from the moment you first discovered the data breach, and you notify the GDPR authorities. When you alert the regulators, it’s best to have all your ducks in a row. If you can tell the authorities exactly what happened, who was involved and your plan to remediate it, you will be better positioned to resolve the issues. An endpoint visibility tool will provide you with the information necessary to make reporting to the authorities a much smoother step.

What happens after GDPR authorities are alerted?

You continue the process of cleaning up, plugging the holes, and notifying the consumers affected by the breach. So far, the GDPR authorities have only specified that consumer notification happens “without reasonable delay.”

A data breach is always fraught with uncertainties, which is part of why companies typically take a long time to sort through the details and make public statements. With GDPR, companies no longer have the luxury of time, so it’s important to remove as much uncertainty as possible from the situation, to gain clarity quickly. An endpoint visibility tool can help speed up the process and provide confidence in a company’s findings after a breach.

There’s no way around it: the aftermath of a data breach with GDPR-regulated data will feel like a marathon. Having an endpoint visibility tool in place before the breach happens is like cutting that 300 miles down to a much more manageable 26.2 miles. It’s still a race you need to prepare for, but it’s a far more sane and feasible experience.

Code42 GDPR Compliance

Data Visibility Is the Key to GDPR Compliance

When we were young, most of us held the belief that what we couldn’t see couldn’t hurt us. We huddled in bed with the covers over our heads so we couldn’t see the monsters in the darkness, and somehow limiting our vision this way helped us feel safe.

As adults, we understand that ignorance isn’t protection, and being unaware of what’s out there doesn’t keep us safer. And yet, too many IT organizations can’t tell you what data lives on their employee’s devices. “Well, that doesn’t matter,” some IT leaders will say. “All of the valuable data in our company is on the network.”

Not true.

Code42’s CTRL-Z study showed that over 60 percent of corporate data is stored on user endpoints. With the enactment of the General Data Protection Regulation (GDPR) drawing closer every day, turning a blind eye to the data on your employee endpoints could have disastrous results. To protect company assets and meet GDPR compliance standards, organizations need to have a firm understanding of where personal customer data is stored and how it moves through their system. In other words, IT teams need to be able to see where all of their data is created, stored and shared.

GDPR is concerned with the movement of customer personal data, which is broadly defined by the regulation. It’s true that your average employee may not have customer social security numbers on their laptop, but personal information can be anything that might identify an individual, down to phone call metadata. If there’s a one percent chance a piece of data could identify a customer, GDPR requires you to treat it as carefully as you would a credit card number. And like it or not, this type of data does leave your corporate firewalls. Employees take their work home with them all the time; think about the sales rep who brings home background info on a customer to prepare for a big sales pitch.

Your leadership team does this as well. In fact, according to the CTRL-Z report, C-suite executives are the most likely to violate company data security policies. These policies are crucial, but they can’t overcome human nature. You need a data visibility tool to track data no matter where it moves, so if you do get breached, you can account for what information was impacted–and where and how.

Without that kind of data visibility, staying in compliance with GDPR will be a challenge. According to GDPR, companies only have 72 hours to report an incident once it is detected. But if you don’t know where your data lives, you have no way to gauge the impact of a breach. In the event that data is compromised, knowing exactly what has been exposed will make interactions with the regulatory agency much smoother.

It might be tempting to pull a blanket over your head, ignore the data that lives on employee endpoints, and hope for the best. That may have kept you safe from the monster under the bed, but it won’t keep you safe from potential fines for GDPR non-compliance: up to €20 million or four percent of annual revenue, whichever is greater. It’s time to recognize that data protection starts with data visibility.

Facebook Twitter Google LinkedIn YouTube