Enterprise Data Strategies in the Aftermath of the US Privacy Shield Defeat
The EU struck down the U.S. Privacy Shield and as a result transferring data between the EU and the U.S. is likely to get a lot more difficult. Now what do you do?
There is technology available to help reassure regulators that personal data is safe. However, keeping data safe is not just about regulators, it is about good business practice and reassuring customers that if they do business with your organization that their data won’t end up being bought and sold without the permission of the owners or organizations to which the data was entrusted.
While enterprise leaders will be trying to work out the impact of the Privacy Shield decision, its fall has wider implications, said Venkat Ramasamy, chief operating officer of Austin-based FileCloud. “As the geopolitics around user data escalates, data residency and sovereignty is going to become crucial moving forward,” he said.
There are a few technology choices available for enterprises: store user data locally (on-premise or data centers located within the region) or get control of the encryption keys (customer encryption key) that are used to encrypt data at rest. They can also choose cloud service and SaaS providers who provide the option to choose the region where enterprises want to store their data.
Review Data Management and Governance
In sum, the problems posed by the fall of the Privacy Shield concern the management and protection of data, said Todd Wright head of data privacy solutions at Cary, North Carolina-based SAS.
Organizations need to first consider any data privacy technologies as an extension of their current data governance efforts. If no current data governance program exists, their implementation efforts should mirror those organizations that have been successful. From a technology standpoint, this means organizations need to focus on five main areas to protect data privacy:
1. Accessible Data: It is critical that organizations be able to access and blend data from many different file types to have an integrated view and understanding of what personal data they hold.
2. Identifying Data: No matter where personally identifiable information (PII) resides, many organizations rely on technology capabilities like data filters, sampling techniques and sophisticated algorithms that can identify and extract personal data from structured and unstructured data sources.
3. Proactive Governance: Organizations need to be able to enforce governance policies, monitor data quality and manage business terms across the organization. They must also be able to assign owners to terms and link them to policies or technical assets like reports or data sources. This can be accomplished with data quality, metadata management and information cataloging technologies.
4. Ongoing Protection: For ongoing protection, role-based data masking and encryption technologies can secure sensitive information, as well dynamically blend data without moving it. This helps to minimize exposure of sensitive data.
5. Audits and Reviews: Technology that provides interactive reports to identify the users, files, data sources and types of PII detected is essential. Audits should show who has accessed PII data and how it is being protected across the business.
The Human Element of Data Protection
It is not all technology, though. David Lukić of Boston-based IDStrong points to the human element in keeping data safe. People-centric solutions can be brought to bear when trying to solve the problem of data security.
He points out that identity theft for illicit uses became common in recent years. The rate of personal data being pilfered is increasing exponentially and looks like there is no stop to it. The global pandemic acted like gasoline for the already burning fire.
However, since it is becoming more common, people are becoming more educated. There are several things organizations can do to tackle identity theft and make personal data safe:
1. Educate workers: If companies, organizations and even the government educate their citizens about this matter, people will be more cautious about using their identity online and entering sketchy websites.
2. Invest in data storage protocols: If data are safe inside the storage, it will be almost impossible for hackers or identity thieves to get to it. Every organization should invest time and money in their storage protocols to ensure the safety of their people and employees and save them time and resources.
3. Hire an IT team: Hiring an IT team might seem an expensive investment for some but organizations will reap the rewards in the long term. At some point in time, every organization will face scammers and hackers. The IT team will provide you a level of security and prevent scammers from breaching data.
This all runs in parallel to a software strategy that should underpin human efforts to keep the enterprise safe. Among the technologies Lukić recommends are:
- Data access: Authorizing only key members to handle data security is important. Every organization should implement technologies that can provide the right amount of data to the right users at the right time.
- User behavior analytics: While often basic, it is effective when someone's username and password are compromised. Technology can help organizations understand when it might be a data breach and flag the defender of the system. The technology uses big data analytics to identify abnormal behavior by a user.
- Cloud data protection: This not only makes storing sensitive data safer but it also makes it easier for involved parties to access the data. If you use a trustworthy cloud-based data protection system, the odds of data breaches will decrease drastically and data storage works more efficiently.
- Deep machine learning: This is similar to user behavior analytics. Organizations deploy this to understand where there are breaches in the system and track attacks as they happen.
Related Story: Are Careless Employees Threatening Your IT Security
Role Of Data Classification
At the heart of all this is data classification. This should be the first step in any data protection strategy, said Colin Truran, principal technology strategist at Aliso Viejo, Calif.-based Quest Software. The reason is that people lack full visibility across the entire estate of data. They also lack a method to classify content consistently and reliably, not just once but many times as rules change.
“Often this relies on humans participating in processes and this is where things start to become unstuck,” he said. “Organizations are faced with asking themselves how to enforce accurate data classification of every artifact past and present, without causing all other processes to grind to a halt or become bankrupt.”
Organizations are then faced with the next challenge of managing and enforcing data policies. This is where technology starts to really come into play, using additional metadata by humans or systems to then enforce access control. We see organizations at this point gravitate to data loss prevention, or DLP, platforms. But is that the only approach available? In fact, is it the right approach at all?
Truran said his company is seeing organizations start to pull back from DLP and instead head into the "Zero Trust" approach, a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters. This is because DLP works well within an organization but needs to be extended out to the organizations supply chain and customer chain if control is to be maintained.