lolloj - Fotolia

Equifax breach highlights importance of GDPR preparation

While doing preparation work for GDPR, organizations should look at the Equifax breach and understand they would have to notify customers of a problem much sooner.

The Equifax security breach has brought about a fresh wave of concern regarding how corporations are safeguarding customer data, just as organizations are doing preparation work for the General Data Protection Regulation.

GDPR goes into effect in May 2018. It consists of 99 articles, but the one that will be the thorniest for companies to address is Article 17. It's the rule that gives individuals the right to force organizations to delete all personal data.

"This one has the most heartburn," said Randy Kerns, senior strategist and analyst at Evaluator Group Inc. in Boulder, Colo., who has spoken with European companies in various stages of GDPR preparation. "It's the right to erasure at no charge to the requesting individual. And it has to be expunged in a short period of time. All of the other problems with the requirement are really in the shadow of this in terms of potential impact."

Details on GDPR requirements

GDPR, which replaces the EU Data Protection Directive of 1995, focuses on making sure businesses are transparent and ensuring individual privacy rights. Any data produced by an EU citizen falls under the GDPR requirements.

It covers data that is produced by an EU citizen, whether or not the company that collected the data is located within the EU. It also covers people who have stored data within the EU, whether or not they are EU citizens.

Under GDPR, individuals can require companies to expunge any data they have produced, and it also requires that all people affected by a data breach are to be notified within 72 hours. In the case of the Equifax breach, the company discovered it on July 29, and reported it publicly in early September. The breach occurred between mid-May and July.

GDPR requires organizations to implement the right technology to locate an individual's data, which in most cases consists of an original copy, as well as other copies used for secondary storage.

Some are in denial. Some have so much work to do, and this is overwhelming.
Randy Kernssenior strategist and analyst at Evaluator Group, on those who are behind in GDPR preparation

In a survey of 900 companies worldwide with at least 1,000 employees, data protection specialist Veritas Technologies found that an overwhelming percentage of organizations have not done adequate GDPR preparation. According to the survey, 18% of the respondents admitted that personal data cannot be purged or modified. Another 13% said they do not have the capability to search and analyze personal data to uncover explicit and implicit references to an individual. They also are unable to accurately visualize where their data is stored because the repositories are not clearly defined.

Companies will be required to implement data protection principles to safeguard data and protect the individual's rights. They also must have a designated data protection officer on staff.

"Some are in denial," Kerns said of those who are behind in GDPR preparation. "Some have so much work to do, and this is overwhelming. They can't deal with it right now. Some believe there will be flexibility. That is wishful thinking; I don't think that is going to happen."

Vendors veer toward GDPR preparation

There is a hefty burden on IT to come up with solutions to address the GDPR requirements.

Vendors have started to offer some technology that can help with GDPR preparation, such as the ability to encrypt user-identifiable data and maintain the keys. Once an individual requests data to be deleted, the keys can be destroyed.

Veritas has an Integrated Classification Engine that will be embedded across its data management portfolio. It first became available in the Veritas Data Insight 6.0 analytics application and Enterprise Vault. The engine is a microservice application built on Docker containers, which makes it easy for Veritas to embed the capability in its application portfolio.

Zachary Bosin, director of solutions marketing at Veritas, said the Classification Engine will eventually extend across the entire Veritas product line. Bosin described the engine as "a dashboard that is delivered preloaded with 100 sensitive data-type patterns, such as Social Security, credit card numbers, phone numbers. We have a drop-down list of GDPR identifiable data. We are going to grow that."

He said artificial intelligence and machine pattern learning technologies will be beneficial in capturing sensitive data.

"The deep-learning engine really creates a prioritization of sensitive content," he said. "Eventually, that deep learning engine will get smarter and smarter about sensitive data."

But it won't be enough for an organization to state it is complying with an individual's request to expunge data.

"You have to prove that you did it," Kerns said.

Next Steps

Rethink data protection to become GDPR-compliant

Effects of GDPR stretch beyond the European Union

What you need to know about GDPR

Dig Deeper on Archiving and backup