When it comes to the General Data Protection Regulation (GDPR) and its implications for data security, there is a lot to consider. Significant emphasis has been placed on the penalties for non-compliance and the new rules companies must follow in the event of a data breach. While this is understandable, at its heart the GDPR is about understanding your data and designing your approach to security around it. In this sense, the GDPR presents an opportunity for forward-thinking chief security officers and their teams.
For many companies the new regulation requires a shift in mindset and a heightened focus on data security. The GDPR actually reflects the way modern security teams are already thinking and working.
In a previous blog post, we outlined the importance for companies to understand their data when they think about GDPR compliance. It’s essential for organizations to know the what, where, and who of their data assets—alongside an understanding of the security measures their organization has in place.
That understanding is not just essential to help mitigate the risk of a breach or a fine. It will enable companies to truly adopt the “privacy by design” principle enshrined in the GDPR.
In the past, security teams have taken a system-security driven view of risk, with the focus on tools such as firewalls, intrusion detection systems, and anti-virus to protect corporate servers. The GDPR is driving towards a different approach, one that begins with understanding the full lifecycle of users’ data. This includes where it lives, how and when you store and process personal information from your customers, how it flows between processors, and ultimately ensuring that it gets destroyed.
Thanks to the GDPR, data security is now a major focus at the highest levels of companies of all types and sizes. But understanding and protecting company and user data has always been the top priority for security teams—it’s at the heart of what they do.
One of the ways security teams protect the data their company holds is by building permission frameworks around that data, so that the right people have the appropriate level of access to it at the right time.
To do this, they need an in-depth understanding of the data they hold and its cradle-to-grave lifecycle.
They also need to track data so they know where it flows and who touches it. Only through deep telemetry can companies monitor, log, and audit data to the standards required by the GDPR—so building that telemetry will be a key part of preparing for the GDPR. That capability will need to be extended to third-party suppliers to ensure data processing is tracked through the whole lifecycle. Companies with a deep and consistent insight into their data flows will be in a strong position to detect breaches early and respond effectively.
The GDPR and its principle of privacy by design is an affirmation of the approach many security teams are already taking. It’s a chance not only to drive investment in security but for the wider security community to reframe the conversation away from system-level security to data-driven security. And for companies, it’s an incentive to deepen and extend their understanding of the data they hold and and start designing their security controls around data.
For more steps that you should consider to help prepare for GDPR and for information on how Dropbox can help you protect and control your data please click here.