Is GDPR-regulated data lurking in unexpected pockets of your organization?

GDPR-regulated dataA recent study showed that over 60 percent of corporate data is stored on employee endpoints. And yet, as companies work to ensure compliance with the new General Data Protection Regulation (GDPR), they still may be overlooking a few key areas.

The GDPR globally impacts the processing of all personal data on EU residents and takes effect on May 25, 2018. The challenge is personal data doesn’t just live in your customer relationship management (CRM) system, it also exists in a more unstructured way on your company’s endpoints.

To protect company assets and meet GDPR compliance standards, organizations need to have a firm understanding of where personal data resides, including where it is created, used and stored. Failure to adequately secure user endpoints could mean major fines as well as damage to customer relationships and brand reputation.

Protect endpoint data

To secure potentially vulnerable endpoints, companies need to conduct a detailed impact assessment of their data systems. An important initial step in this assessment is defining what constitutes personal data. Because the definition can vary based on context and from country to country, your company should work with its legal counsel to gain clarity. For companies in the U.S. with customers or prospects in the EU, this likely means adopting the stricter European standard.

Next, it’s crucial that organizations get a good understanding of where personal data lives in their ecosystems and the areas it traverses, in both structured and unstructured ways. Employees want to work in the most efficient manner possible, which means they don’t always follow corporate IT policy when it gets in the way. Doing so isn’t necessarily malicious.

Imagine the implementation consultant who takes client information home to work on an issue after hours, or the sales rep who brings prospect data on the road in order to craft a customized pitch. Company leadership certainly does this as well – according to the CTRL-Z report, C-suite executives are the most likely to violate company data security policies. So, while a strict internal data policy is important, you also need the tools in place to account for human behavior and gain visibility to data as it moves in and out of traditional security perimeters.

Regardless of where your organization’s personal data resides – whether it’s on an endpoint or in a cloud application – under GDPR, if you get breached or ransomed, you have to be able to account for it. The more quickly and easily you can identify the scope of an incident, the faster you can begin to remedy the situation. Thankfully, there are software solutions available that can help companies assess their exposure by quickly identifying where files exist and what information is contained within them. By implementing endpoint data protection and visibility solutions, organizations can be well-positioned to investigate incidents and begin the recovery process.

Encryption is not enough

Encryption is another important data protection tool available to companies. But based on the requirements of GDPR, it’s still not enough to fully safeguard your company’s data assets. According to industry research, nearly 70 percent of data loss incidents originate on the endpoint.

Imagine scenarios in which credentials are taken or an employee acts maliciously with the intent to damage the company. In these cases, encryption wouldn’t be enough to stop the possible distribution of vital company data. Any data that users can access is potentially at risk. That’s why companies need software solutions that can monitor user endpoints, provide visibility to data movement and interactions, and alert personnel to suspicious activity.

Reporting an incident

Having a complete picture of your data ecosystem – where personal data lives and travels across an organization – is essential to not only safeguarding it, but also successfully reporting on it in the event of a breach. According to the new GDPR rules, companies must report an incident within 72 hours of detection. If you are uncertain where your data lives, however, there is no way to determine the magnitude of your exposure. In the event that data is compromised, knowing exactly what data is exposed and showing sufficient control over it will make interactions with the regulatory authority much smoother.

On the other hand, a breach may not have resulted in any personal data exposure at all. If you do not have a complete inventory of and visibility over your data, you could be filing unnecessary reports and risking consumer confidence without any real cause for alarm. Announcing to customers that you are unsure if personal data was exposed is nearly as bad as confirming its loss. After all, who wants to do business with a company that can’t be sure where personal data is stored?

Culture change required

Until now, many organizations haven’t thought about their entire data ecosystem as an asset that needs to be inventoried and managed in the same way as physical assets or regulated consumer data like protected health information or credit cardholder data. Under GDPR, that perspective will have to change. Companies need to expand the scope of what they consider to be personal data. Data should be treated as an asset, and companies need to take that seriously. Anything less could leave them vulnerable to outside attacks, regulatory infractions and reputational damage.

It’s an unfortunate reality that we can’t prevent all data breaches or data loss; and since complete prevention is impossible, companies need to be prepared to detect data breaches and respond quickly and effectively. Organizations need policies in place that govern internal data access and ultimately the capability to respond and investigate quickly during a data breach. With continuous data protection, visibility, recovery and oversight, companies can mitigate their risks and feel confident they are meeting GDPR standards while building trust with their consumers.