On 28th May 2018, the European Union (EU) General Data Protection Regulation (GDPR) will come into force with harsh fines and onerous implications. The primary goal of GDPR is to harmonize the protection of personal data across all EU member states. It will have an impact in the EU and around the world, affecting any organization that handles the personal data of EU residents. Don’t let that seemingly distant date delay you from starting to prepare.
The level of risk associated with the GDPR has driven the topic of data protection from the IT department to the boardroom as many companies reassess their processes and procedures to ensure compliance. As data flows without boundaries, data identification and classification become essential for identifying personal information in order to automatically trigger corporate policies and regulations. Compliance with GDPR is a burning business issue that requires immediate action. Customer data will be found not only in a structured database, but in reports, spreadsheets, and other unstructured files. Keeping track and making sure this information can be found must now be a priority as under GDPR customers can request to see all the data held on them and demand its deletion if keeping it cannot be justified.
Non-EU member states that do business in the EU are likely facing a bigger challenge to ensure compliance as regions outside the EU tend to have much less stringent privacy laws. For these organizations it is critical to know what data exists, where it is held, and what policies are in place to control how it is treated. Data classification provides a huge leap forward towards achieving compliance as it helps to ensure that privacy is built directly into the everyday workflow, thus reducing the risk of data loss and exposure to fines under the new regulation. While automated classification is ideal in many circumstances, user-driven classification helps encourage a framework for accountability, as the user is asked to stop, think, and consider the sensitivity of the information they are handling. By attaching a sensitivity classification, the data itself is now able to indicate to users and the data security ecosystem how it should be handled to prevent security breaches.
A key tenet of GDPR is that personal data can only be stored for a reasonable duration. What is reasonable will depend upon your business and the purpose for the data collection, but does mean that you need to put in place a retention strategy. In particular, data outside a database will require retention management or defensible deletion strategies before it goes from asset to liability. Data classification allows for a deletion date to be applied to file at the point of creation.
TITUS has built solutions with our ecosystem partners in Cloud data security and encryption to help ensure EU GDPR compliance. In the run up to implementation, TITUS has presented alongside our partners Netskope and Okta in Amsterdam, Stockholm and London on EU GDRP readiness. TITUS is also extending its capabilities with Voltage and Ionic to enable additional data protection functionality.
TITUS classification is the foundation of any data security strategy as the classification attributed to an individual file or email drives the protection that is applied to it. Preventing data from getting into the public domain reduces the risk of identity theft. A breach could leave the organization liable to compensation claims and severe fines of up to 4% of global revenue.
Let the implementation of TITUS Classification Suite take the guesswork out of your document controls and make sure you are well on the way to be ready for the GDPR “go live” in 2018.