Quest’s Colin Truran talks compliance myths and reality, and argues that organisations shouldn’t rely on one or two technologies to address their regulatory needs.
The EU General Data Protection Regulation (GDPR) will become the reference standard against which all organisations will assess their management of personal data across the world. That’s the view of Quest’s Principal Technology Strategist Colin Truran.
Talking to CBR TV, Truran pointed out that one of the major differences of the forthcoming regulation, due to come into effect in May 2018, compared to previous directives is the accountability it imposes on data processors. “It’s easy for the data controller – they know they own the data, responsibility lies with them,” he said. “It’s the question, ‘Are you a data processor?’ that is more of a quandary for organisations. [Is the organisation] actually participating in the lifecycle of the data? Do they have any responsibility during the journey of that data? If they do, then they are a data processor.”
“GDPR is the baseline. It’s what everyone should adhere to as a minimum. [And then] you’ve got to take into account all the legislation for all of the countries that that data resides in and passes through.”
Addressing the myths and confusion surrounding GDPR, Truran was asked whether it was really the case that organisations only have 72 hours to report a breach. “Not at all,” he said. “This is often a number quoted to scare organisations. You only have to notify the data protection authority of a breach within 72 hours if it poses a significant risk to the rights and freedoms of a data subject, an individual.” In other circumstances, the three-day deadline does not apply, Truran said.
On a related topic he was asked what responsibility an organisation had when it was in receipt of personal data sent in error. “It’s quite an interesting conversation to have because in essence you didn’t request that information and suddenly you’ve become a data processor or a data owner, a data controller,” noted Truran. “Therefore you have responsibilities for that data moving on. You can’t just … remove it. So you do need to notify the [originating] organisation and the authority that you’ve received this information in error.”
As for the technology organisations should adopt to help address compliance issues thrown up by GDPR, Truran said firms should not except to find a single, cure-all. “I hear a lot about two typical technologies that are mentioned: encryption and personally identifiable data discover,” he told CBR TV. “Two great technologies [but it’s] really important you don’t just rely on those technologies as your only form of bolstering your position.
“You need to make sure you have other technologies and other processes in place. For example, if you rely only on encryption, this only works when the account isn’t compromised. If the account is compromised you’ve lost the benefit of the encryption.”