SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Managing data to comply with privacy regulations - Micro Focus
Thu, 23rd May 2019
FYI, this story is more than a year old

Australian companies are required to protect people's private information with significant penalties for failing to do so.

Alongside the Privacy Act and mandatory data breach notification requirements, many Australian organisations also need to comply with Europe's General Data Protection Regulation (GDPR) if they do business with European citizens.

Regardless of legal requirements, it's good business sense to manage customer and stakeholder data carefully to maintain their privacy and give them control over how their details are used. 

However, it can be challenging to understand exactly what data is covered by these regulations.

Often, data controllers are managing billions of data objects scattered across many silos, and only a fraction of these may contain personal data that needs to be protected.

Furthermore, some of the regulations require businesses to not just protect the data but to make it accessible to the people it refers to and let those people request that the data be amended or deleted.

If the data can't even be found, this can prove very challenging. 

It's therefore crucial for organisations to be able to access, understand, and accurately classify the data they have so they know how to treat it.

They must find a balance between protecting too much data, which breaks down processes and creates extra work, and not protecting enough, which puts the organisation at risk of failing to comply. 

Then it's key to be able to act on the right information quickly and provide proof of that action as required by regulatory bodies.

For example, if private information is accessed by an unauthorised person, the business needs to be able to stop the cyberbreach in its tracks, then report the breach to the Office of the Australian Information Commissioner as well as the affected individual(s).

Part of the reporting process includes proving that all possible actions were taken to protect the information. 

Given the challenges involved in managing private information securely and in accordance with regulatory requirements, business decision-makers could be forgiven for seeking a silver bullet technology solution that automates the process and guarantees an error-free approach.

However, the analytics capabilities required to address the volume and variety of data in question, and to support the multiple use cases covered under the regulation, make a single solution impractical. 

Failing to find the silver bullet, most organisations then opt for a best-of-breed approach using a raft of loosely-integrated software.

However, this can do more harm than good, requiring significant manual oversight and generating dozens of exceptions and processing errors.

This approach is, therefore, riddled with added stress, cost, and risk. 

Organisations would be better served by an IT strategy that is well-integrated and supplemented by deep analytics that help them make better decisions.

Furthermore, the strategy must leverage deep domain compliance and security expertise to protect sensitive data.

And, the strategy needs to be flexible. 

There are seven key questions business decision-makers must ask.

The answers will inform the strategy development.

These questions are: 
1. What and where is the information that will fall under these regulations? 
2. How do we identify information for disposal, in accordance with “the right to be forgotten”?3. How do we best apply and enforce policies to manage information through its lifecycle? 
4. How can we quickly and cost-effectively respond to legal matters requiring information under our management? 
5. How do we manage the volumes of sensitive data-at-rest? 
6. How can we neutralise the impact of a data breach? 
7. How do we best ensure sensitive data is protected, stored, and backed up securely? 

Once these questions are asked and answered, the business will be in a better position to comply with privacy legislation.

For best results, it's advisable to partner with a technology provider that understands privacy, has a portfolio that can offer flexibility, and is prepared to work with the business to manage their available resources to tailor a solution to its specific and long-term needs.