My recent ISACA Journal article, “Data Privacy, Data Protection and the Importance of Integration for GDPR Compliance,” describes how the movement and processing of personal data, along with the procedures around those workflows, are central to General Data Protection Regulation (GDPR) compliance. Here are actionable steps enterprises can take to implement a modern integration strategy that ensures both data protection and data privacy.
Ensure Data Protection
The keys to ensuring enterprise data protection through a combination of tools and policy include:
- PGP encryption—Apply Pretty Good Privacy (PGP) encryption standards for data in motion and data at rest, and control the keys.
- Secure protocols—Leverage built-in secure communication protocols like Secure File Transfer Protocol (SFTP) and Applicability Statement 2 (AS2) rather than standard email- or File Transfer Protocol- (FTP-) based workflows, and use digital certificates and keys rather than usernames and passwords to authenticate.
- A backup strategy—Quickly accessing disaster recovery (DR) data is imperative to keep operations running—and compliant. But it is equally important to ensure data in the DR environment is protected in the same way as production.
Ensure Data Privacy
Data privacy has more to do with how the information is governed and used, and it is ensured through enhanced:
- Data minimization—Only collect and keep data that you need. It may seem obvious, but many challenges can be avoided if you do not collect the data in the first place or delete it as soon as it is no longer relevant.
- Governance—End-to-end integration enables a full view of the entire life cycle of your data. Leverage dashboards to see every touch along the data journey, and safeguard against unauthorized access.
- Control—How do you know who can access data and for how long? Do they really need access? Similar to data minimization, reducing the number of people who have access will simplify control.
- Education—Regardless of the technology in place, you are ultimately at the mercy of your people. Make sure you educate them on what is expected and what their responsibilities are.
While you could lock a few developers in a room and build out solutions that enable all these things, it will be more cumbersome and more expensive in the long run. What happens, for instance, when the next GDPR gets passed and your solution does not quite comply? You end up modifying your existing solution or rebuilding it altogether.
I recommend a single-platform ecosystem integration solution with built-in security, governance and control mechanisms to manage your data workflows.
Read Dave Brunswick’s recent Journal article:
“Data Privacy, Data Protection and the Importance of Integration for GDPR Compliance,” ISACA Journal, volume 1, 2019.