However, ever-growing data volumes mean that many enterprises could struggle with one of the key requirements underpinning compliance with the EU DPR: that is, knowing exactly where their sensitive data is located. What are the reasons behind the data explosion and how can organisations curb the sprawl of data in preparation for compliance?
Reining in Data sprawl
You can only place adequate security and protection measures around sensitive data if you know exactly where it is; however, for many businesses, locating this data can be an onerous process. The reason is down to a combination of factors:it’s a result of both the explosion in data generated by organisations on a daily basis and the proliferation of inexpensive data storage options. Let’s consider for a moment the amount of data generated on a daily basis: according to IBM, we create around 2.5 quintillion bytes of data – every single day – and according to the technology giant, approximately 90% of all the data ever created has been produced in the last two years. Picture this: if all the data generated in a day is stored on standard DVDs and stacked up, it would reach the moon in 640 separate stacks. Most organisations won’t necessarily rely on DVD to store important data, however, there are a number of inexpensive data storage options available today and so it has becomeeasier for organisations to accumulate more data either on-site, in their own remote data centres, or with cloud data storage providers. Unfortunately, it also means that IT departments are increasingly struggling to get a handle on the location of data.
The Human Factor
Data sprawl is also a symptom of today’s always-on, always connected working world – and our need to access information, anytime and anywhere. In most organisations, data moves freely and is constantly updated, changed and moved. The ease with which data can be shared is both an advantage as it saves time and costs, but unfortunately in light of the EU DPR, it could also be its Achilles heel.
It means that organisations are faced with the challenging task of identifying the location of data as it travels the globe. Human natures also comes into play here; a document containing sensitive data may have been cut and pasted from a document and sent in an email or saved on a mobile device because it was perhaps convenient to do so at the time. This creates a significant challenge in protecting and precisely tracking the movement of data.
Data sprawl, the growth in data storage and human behaviour are all factors that can influence the ability of an organisation to accurately locate and secure vital information. Taking control is not an impossible task, but it is a complex one.
Steps to be taken to comply with the EU DPR
In order to be compliant, organisations should start by:
1.Defining types of data:
Organisations must be able to distinguish between, for example, Personally Identifiable Information (PII) or Payment Card Industry (PCI) data. This is crucial, as not only do different types of data need different levels of security controls, but it’s also important to classify data correctly so that its movement across the corporate network can be managed.
Once data has been classified correctly, the next step would be to track where data is stored. This could seem like a challenging task, as the data sprawl and various storage options available today may add many layers of complexity. It is crucial to carry out regular searches across the entire enterprise, using e-discovery tools, in order to create a map of where sensitive data resides. This would enable organisations to remove data that is found on unauthorised devices.
3.Defining policies on who has access to data:
Organisations must be able to determine the policies of who has access to what data, based on their roles and responsibilities within the organisation. For example, data held by a business of a financial nature, is likely to be accessible to various members of the C-Suite. However, this may need to be reviewed: in order to protect this data it is essential that not only the right level of access is granted to the right people, but also that the flow of data is restricted and controlled within the boundaries of the regulations.
Each of these steps should be taken carefully to ensure that it is done to the highest levels of security and control. This will allow for the business to gain a deeper understanding of the spread of data.
While the EU DPR is placing pressure on the business to perform to exacting standards, it is also providing an opportunity to implement the right levels of control and for organisations to be more aware of how its data is shared and managed. It is protecting the organisation from potentially embarrassing, and costly, mistakes in the future.