Post written by
Program Director for Analytics Hybrid Cloud Thought Leadership and Data Privacy Officer at IBM. Executive Director of the CGOC think tank.
Most discussions regarding the EU’s impending General Data Protection Regulation (GDPR) — scheduled for implementation in May 2018 — focus squarely on consent management (i.e., making sure organizations have permission to use the data they are collecting and processing). This focus certainly makes sense. Consent management is critical to organizations’ abilities to continue doing business as usual in the face of the new regulation. However, as data collection and processing continue to soar — and there are no signs the consent requirement will slow data growth — organizations are increasingly challenged to secure the data they process, as required by Article 32 of the regulation.
Most organizations interpret Article 32 as a requirement to encrypt personal data, but the challenge is actually much broader, requiring a strong information governance (IG) foundation that enables organizations to identify where personal data exists and the risks associated with it.
GDPR Processing Security Requirements
While pseudonymization and encryption of personal data are priorities under Article 32, the article actually requires “measures to ensure a level of security appropriate to the risk.” This means organizations must be able to assess the risk associated with different types of data in different data stores. Further, even if a company chooses to encrypt all data, Article 32 requires the company to ensure the availability and resilience of processing systems and to be able to quickly restore availability and access to personal data should these be lost.
Beyond these risk assessments and measures, secure processing includes preventing accidental or unlawful destruction or loss, which can occur whether or not the data is encrypted, as well as preventing unauthorized alteration, access or disclosure, which can certainly occur to encrypted data if the wrong people or organizations (such as a supply chain partner) have access to the encryption key.
So satisfying Article 32’s requirements to secure processing (not to mention Article 5’s retention limitations on personal data and Article 17’s right to have personal data erased) requires a comprehensive understanding of what information assets exist, their value and location and who has access to them.
This is the function of the next generation of information governance — known as unified governance. The overarching principles of a UG program include:
• Policy management across the entire enterprise: There can be no information stores sitting beyond the domain of the master data map.
Original article source: https://www.forbes.com/sites/forbestechcouncil/2017/12/06/if-gdpr-compliance-doesnt-start-with-information-governance-youll-probably-fail/