Story image

Managing the information paradox in the NDB/GDPR era

26 Jun 18

Article by M-Files Australia and New Zealand alliance and partner director Nicholas Delaveris

Recent legislation in Australia and overseas puts more stringent requirements around businesses collecting and retaining personal information.

The Australian government’s mandatory notifiable data breaches (NDB) scheme and Europe’s General Data Protection Regulation (GDPR) both demand that organisations protect individuals’ data and notify the appropriate authorities if a breach happens.

While GDPR is primarily a European law, it applies to any business that interacts with a citizen of the European Union, which means many Australian businesses will be affected. 

This creates a paradox for businesses who both rely on information and need to protect that information.

Compliance with these new pieces of legislation demands that businesses have unprecedented visibility into the information they collect and store and that they be able to demonstrate how that data has been treated. 

Businesses need to make information available at the right time on any device so employees can do their jobs.

But they also need to control that information and make sure no unauthorised person can access it.

These two goals have traditionally been somewhat incompatible.

To overcome this issue, businesses need a solution that helps manage compliance and audits, while making it simple for people with the right permissions to access the data they need.

Compliance is mostly about being able to demonstrate control.

It’s about being able to identify who has accessed information, whether they’ve edited or shared it, and when.

Flat file stores are hard to control and, as people leave and join the business, keeping track of access permissions and history gets tangled.

Businesses, therefore, need to take a process-based approach to becoming compliant with NDB and GDPR legislation.

That means taking a step back and gaining an overarching view of data including where it resides and what policies apply to it.

Everyone in the organisation should understand how data needs to be managed and be able to comply with those requirements.

This should be an ongoing process.

Privacy-related legislation tends to include requirements around what personal data can be collected and retained and for what purposes, as well as how businesses must respond to requests for that information either from the individual whose information is stored or from third parties. 

Businesses need to be able to react fast and appropriately when they receive requests for data.

They need to know what data can be shared and what data must never be shared.

If a person requests their own data, the business must be able to provide it immediately.

It’s not good enough to say they couldn’t find it or they assume it has been destroyed; they need to be able to prove it. 

Organisations need a solution that tags the data with information such as whether it contains personal details, how long it needs to be kept for, and why it needs to be kept.

If it shouldn’t be kept, the organisation needs to be able to demonstrate that the data has been destroyed.

If the organisation hasn’t destroyed the data, it needs to be able to demonstrate that it’s keeping the data for legal and legitimate reasons. 

Managing this process manually is difficult, and businesses can look at automation to simplify these processes.

The cost of trying to maintain compliance without an appropriate, metadata-driven content management tool is prohibitively high.

Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Chch crypto-exchange Cryptopia suffers breach
Cryptopia has reportedly experienced a security breach that has taken the entire platform offline – and resulted in ‘significant losses’.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.
Carbon Black: What does cybersecurity have in store for 2019?
Tom Kellerman has shared five insights for the year ahead, including a particularly bold one.
Hands-on review: The Ekster Wallet protects your cards against RFID attacks
For some time now, I’ve been protecting my credit cards with tinfoil. The tinfoil hat does attract a lot of comments, but thanks to Ekster, those days are now happily behind me.
Report on SingHealth breach condemns poor security practices
The 2018 Singapore SingHealth data breach was poorly managed and riddled with vulnerabilities from the start.
Tesla wants people to hack its Model 3
Tesla is offering white hat hackers what could be the chance of a lifetime – the opportunity to hack one of its Model 3 vehicles.