Do you feel daubed? Bloated? Overweight? It’s not about your diet during Coronavirus containment, but the amount of data on your servers.
For years, you have accumulated huge amounts of information about your customers and partners, who are spilling over today and are at risk of drowning you.
We have always viewed data as a key to success and competitive advantage. The more data you accumulate, the better you get (it seemed ). But all by themselves, the data is useless. They need sophisticated analytical tools to transform them into useful information that can really benefit your business.
New regulations, such as the General Data Protection Regulations (RGPD) require organizations to collect and store only data deemed necessary (Article 25).
As a result, it is not surprising that even as the second anniversary of the entry into force of the GDPR approaches, many businesses are still unable to meet the requirements of Personal Data Access Requests (DSARs).
Also known as ‘ GDPR requests ‘, these procedures require companies to demonstrate a clear policy regarding the deletion of personal data.
In short, the gluttony of these organizations in terms of data puts them in general at risk.
Most senior managers believe that it is almost impossible to identify old data, who owns it, and what it contains.
This exposes companies to great security risks.
Hackers are constantly looking for ways to access corporate data. The more data they hold, in a multitude of different places, the more attackers have attack vectors.
Large volumes of useless or outdated data increase the attack surface of an organization because hackers are not careful about the type of data they steal.
Businesses are less likely to have good visibility or have access control capabilities for legacy data – because IT believes it may take much longer for IT teams to identify vulnerabilities or non-compliant data management.
Failures to comply with the GDPR regulations can also have serious financial consequences. The European Union can impose huge fines on companies in flagrant violation.
A fine of more than 14 million euros has recently been imposed on a German company for breach of the principle of Privacy by Design. It is the largest fine in the history of Germany, where data protection policies are particularly strict.
The company was using an archiving system that was unable to remove redundant or outdated data that was no longer needed.
Most IT teams are overwhelmed and focused on priorities other than data security or data governance.
They have a limited ability to effectively enforce directives, so many of them rely on end-users to properly manage their data.
But in reality, most users don’t mind sorting or managing their information and often keep documents or data ” just in case “ they are useful at a later date. This problem is further exacerbated when an employee changes jobs and no one manages their data anymore.
Consequently, when there is a GDPR request, the company responds with old data, hoping that the unstructured files have never been the subject of an intrusion. This is not a satisfactory approach to manage data on partners and customers.
Compliance and good practices
Most companies would like to improve the quality of their data consumption, both to adopt a better management practice and to improve their compliance with regulations.
However, there is a long way from theory to practice.
How do you know who owns the data? When was this data last accessed? What information is contained in the files in question? Do they contain “nuggets” of information that can be useful to the business?
Many issues related to access and ownership of corporate data today revolve around personal identifiers and digital profiles.
One approach to consider is an identity-centric security model.
This model can be crucial in defining the ways in which an organization collects data, defines the types of data it collects, and the retention period of that data.
The company must also establish controls to allow IT, teams, to verify that the new security policy has been properly implemented.
It is essential to have tools that support this approach. An organization must have the ability to automatically and accurately identify different types of data. Especially in the case of personally identifiable or sensitive data, as well as copies, and to manage or delete them in accordance with the requirements of the security policy.
Having an identity-based solution to manage data stored in applications and files or folders is of paramount importance, especially with the second anniversary of the GDPR regulation.
It is only with a comprehensive identity-based approach that an organization will be able to establish what data is stored in files and folders, who accesses those files, what use is made of them, who is the legitimate owner of these files. data and when someone last accessed it.
This increased visibility and traceability means that access requests can be controlled for ALL data within an organization, whether structured or unstructured.
The traceability of the data obtained will be able to complete this task in less than 20 minutes, guaranteeing full compliance with the GDPR regulations.
An effective identity-based approach to managing data is no longer the preserve of large corporations alone.
With this excess of data, much of which is either old, useless or duplicated, organizations should be aware that they are already in breach of regulations.
The more companies invest heavily in data storage systems, the more they are exposed to the risk of intrusion and potentially a large fine.
For many companies, it is time to reduce the amount of data stored, destroy all excess documents and commit to better governance of their information.
With the second anniversary of the GDPR regulation, all organizations, from SMEs to multinational companies, need to adopt a complete and in-depth approach to manage ALL their data, whether or not they are personally identifiable.