When data can be anywhere - maintaining data privacy and planning EU GDPR compliance in a mobile-first world
The announcement of the European Union’s General Data Protection Regulation has meant that companies of all sizes should be starting to think about their data privacy and data protection obligations. The new rules will provide a uniform framework for companies that hold and manage customer data. However, while the rules that are being put in place should help every organization to act as if they are on a level playing field, the challenge will be making sure that this approach makes it through to the real world.
This real world environment is increasingly becoming “mobile first” as people work outside the office across more devices. Rather than being tied to the “beige boxes” that traditionally powered enterprises, people have much more flexibility in how they make use of IT assets. This freedom does have its drawbacks, though. Increasingly, IT teams are being cut out of procurement decisions as line of business departments buy their own kit and Cloud services; users can also enable themselves to run their applications on their own devices as well.
This problem has hit the music and other content industries as downloading MP3s moved from being the province of those with technical knowledge and awareness of where to search for files through to being something that anyone could do using paid-for and legal services. Now, the growth of streaming services has meant that there is even less of a footprint for data on devices.
What does this have to do with Enterprise IT and data privacy? Well, it illustrates something originally termed the “Smart Cow Problem” - it only takes one smart user to unlock the gate and everyone else will follow. Just as physical media was replaced by downloads, so enterprise IT users can now make and consume their own data sets using their choice of applications without being aware of the impact.
The risk here is that there is a distinct lack of safeguards around the data. While users are smart, they may not know or care enough about the necessary encryption and data protection steps that are being put in place by IT for the needs of the business. The likelihood of these users recognizing that their activities could breach data privacy requirements are even less.
The response from IT here also has to mirror the latter days of the music industry, rather than the beginning. Rather than trying to lock down services and preventing users from working in ways that suit them, the approach has to be based on making the user experience seamless and smarter. In music, the rise of iTunes for legal music purchases led the way, while new streaming services that make huge catalogues of songs available on-demand have started to grow rapidly. Meeting a user need in a smarter way led to greater potential revenues for music and content businesses where people were happy to pay.
In the same way, data privacy and control can be put back in place through smarter use of automation, so that the user experience is better compared to any workarounds that individuals might put in place. This proactive approach to data protection, privacy and compliance can ensure that both central IT and end-users benefit.
For example, tracking the use of personally identifiable information (PII) should be a key part of ensuring that customer data is protected and secure. However, any time a new file is created, that PII could be re-used and added to. Couple this with files being created and stored on mobile devices without oversight by IT, and this could lead to a breach in customer data protection rules.
Instead, tracking the creation of new files and automatically scanning them for PII can help ensure that the IT team knows what is being created. These files can then be automatically added to data protection processes so that they are copied and sent back to the central IT repository, whether this is on the company’s own IT infrastructure or on a secure public Cloud instance. By tracking the creation of new PII records by employees in the background, and then ensuring that the right security and data protection processes are in place, IT can ensure that the company is meeting its compliance requirements in a proactive manner.
At the same time, this user experience is far better than one that either locks down IT services to only run on central IT devices, or relies on manual intervention to remain compliant. This approach ensures that employees can carry on working in flexible ways while also keeping data secure and protected.
Now, there are more in-depth considerations around how people create data to consider. For example, companies with operations in multiple countries will have to track the creation of data on mobile endpoints in different ways to ensure that data protection regulations are met.
As an example, employees in Germany will have to be treated very differently to those in the UK or outside the EU. For German employees, any personal data on a laptop or phone that an employee creates on their device should be left alone, while company data and files that use PII on behalf of the organization can and should be protected.
This level of data privacy means that there is a fine line to be considered on how data from these mobile devices is protected. Understanding these local nuances and requirements is important to ensure compliance with privacy regulations, both for the protection of customer data and for the privacy of employees as well.
For IT teams, the coming of EU GDPR is both a challenge and an opportunity. The challenge comes as more data is being created outside the control of IT – as much as 40 per cent of company data can live outside the network. However, the need for compliance can drive a rethink around the role of data protection within the business too. This opportunity can help IT design and deliver services that fit with the needs of employees as well as meeting the privacy requirements. By thinking “mobile first” IT can get ahead of the privacy problem, rather than reacting to problems caused by smarter users.
About the Author
Jaspreet Singh , CEO, Druva is an accomplished entrepreneur. Prior to founding Druva, Jaspreet was a member of the storage foundation group at Veritas. He also held a number of engineering specific roles at Ensim Corporation.
Edited by Peter Bernstein