The EU's GDPR is a big change from how many businesses and organizations have approached data protection in the past, from how responsive the security teams have to be, to how clear and quickly they are able to tell where personal data is located. The biggest issue is the personal data, this is where the trouble comes in.
With the May 25th deadline fast approaching, it is very likely that organizations still have vast amounts of personal identifiable information (PII). This can be cookie data to device identifiers to IP addresses. This can be on premises and in the cloud. So if the biggest issue is personal data, how do you define personal data?
Under article 4, personal data means “any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
With this in mind, the GDPR has introduced new concepts such as access requests (SARs), the right to be forgotten/right to deletion, and data portability, EU citizens now have a right to know what data is collected on them and that’s a concern for businesses when PII can be everywhere from email and social platforms to HR, HCM, and CRM systems.
In order to move forward there needs to be priorities. First setting up a proccess to manaage project risk and implement 'secure by design'. Second figure out which personal data you own, and runa discovery proccess of a core of key controls. Once this is figured out, you will be able to be successful and not find yourself receiving a large fine.
Read more information on this matter and some more tips here.
Data portability was in the top two of the most difficult obligations in the GDPR to comply with, yet we have made it easy. Read here how: www.idlink.eu