The Necessity of Information Governance and Data Classification for Complying With the GDPR
Approaching the new General Data Protection Regulation (GDPR), effective from May 2018, companies based in Europe or having personal data of people residing in Europe, are struggling to find their most valuable assets in the organization – their sensitive data.
The new regulation requires organizations to prevent any data breach of personally identifiable information (PII) and to delete any data if some individual requests to do so. After removing all PII data, the companies will need to prove that it has been entirely removed to that person and to the authorities.
Most companies today understand their obligation to demonstrate accountability and compliance, and therefore started preparing for the new regulation.
There is so much information out there about ways to protect your sensitive data, so much that one can be overwhelmed and start pointing into different directions, hoping to accurately strike the target. If you plan your data governance ahead, you can still reach the deadline and avoid penalties.
Some organizations, mostly banks, insurance companies and manufacturers possess an enormous amount of data, as they are producing data at an accelerated pace, by changing, saving and sharing files, thus creating terabytes and even petabytes of data. The difficulty for these type of firms is finding their sensitive data in millions of files, in structured and unstructured data, which is unfortunately in most cases, an impossible mission to do.
The following personal identification data, is classified as PII under the definition used by the National Institute of Standards and Technology (NIST):
o Full name
o Home address
o Email address
o National identification number
o Passport number
o IP address (when linked, but not PII by itself in US)
o Vehicle registration plate number
o Driver’s license number
o Face, fingerprints, or handwriting
o Credit card numbers
o Digital identity
o Date of birth
o Genetic information
o Telephone number
o Login name, screen name, nickname, or handle
Most organizations who possess PII of European citizens, require detecting and protecting against any PII data breaches, and deleting PII (often referred to as the right to be forgotten) from the company’s data. The Official Journal of the European Union: Regulation (EU) 2016/679 Of the European parliament and of the council of 27 April 2016 has stated:
“The supervisory authorities should monitor the application of the provisions pursuant to this regulation and contribute to its consistent application throughout the Union, in order to protect natural persons in relation to the processing of their personal data and to facilitate the free flow of personal data within the internal market. ”
In order to enable the companies who possess PII of European citizens to facilitate a free flow of PII within the European market, they need to be able to identify their data and categorize it according to the sensitivity level of their organizational policy.
They define the flow of data and the markets challenges as follows:
“Rapid technological developments and globalization have brought new challenges for the protection of personal data. The data hk scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organizations, while ensuring a high level of the protection of personal data.”