[BreachExchange] How rogue data puts organisations at risk of GDPR noncompliance

Inga Goddijn inga at riskbasedsecurity.com
Mon Jul 30 10:29:51 EDT 2018 

https://www.helpnetsecurity.com/2018/07/30/rogue-data-gdpr-noncompliance/

The GDPR compliance deadline
<https://www.helpnetsecurity.com/2018/05/25/gdpr-day/> came in by force on
25th May 2018 and applies to all organisations processing and holding the
personal information of data subjects. This includes contacts such as
customers, partners and patients. Much has been written about the immense
efforts of organisations to improve their data privacy procedures in order
to comply with GDPR
<https://www.helpnetsecurity.com/2018/05/14/gdpr-compliance-profile/>, but
there is a largely undiscussed oversight lurking just under the surface
which, if left unaddressed, still leaves organisations exposed to potential
risks and hidden costs.

While progress has been made in privacy and control procedures for managed
data typically held in customer and/or patient databases and business
applications, most organisations will (reluctantly) admit to a problem of
“rogue” personal identifiable information (PII) that is not under some form
of direct IT control and governance.

These electronic office documents
<https://www.helpnetsecurity.com/2018/07/05/gdpr-compliance-printers/>,
presentations, images, video recordings, etc. are quite often hiding in
plain sight, so to speak, and within an organisation’s IT infrastructure.
We are of course referring to the countless letters, spreadsheets, data
extracts, x-ray images, voice recordings (the list goes on) containing PII
and stored in places such as an employee’s desktops, personal folders,
shared folders, cloud storage or mobile devices. Not having good visibility
<https://www.helpnetsecurity.com/2018/06/20/digital-experience/> and
control over these kinds of rogue PII does not diminish the accountability
of organisations – in fact, it exposes them to the worst kind of risk: the
unknown type.
Three main problems associated with rogue PII

*1. Data subjects (the people whose information is being controlled) are
entitled to request all PII data held on them.* This is really hard to do
when a business is not 100% certain if all PII is being managed in known,
secure and managed information systems. Information blind spots will leave
organisations exposed to risk.

*2. Requests for either a copy and/or erasure of PII by data subjects need
to be completed within certain time limits (typically one month).* This can
be a challenge if organisations do not maintain a certain level of process
efficiency in order to comply. Organisations may also be caught on the back
foot if swamped by a sudden spike in requests or where there is a heavy
reliance on manual procedures to fulfil these requests.

*3. The new regulation typically leaves data controllers with no recourse
to charge for fulfilment of these data requests.* Under most circumstances,
these rights translate to both a potential cost and accountability risk
burden on organisations. Not only do they need the capability of finding
PII faster and cheaper than ever before, but they also need to be confident
that they have provided (or erased, as the case might be) ALL managed and
unmanaged instances of PII held on a data subject.
Dealing with rogue PII data?

How then should an organisation deal with rogue PII data? If we assume that
managed sources of PII are well understood and practices adopted to ensure
data processing is governed within data privacy policies, organisations
face two options for dealing with their unmanaged PII:

   - Migrate or move rouge sources of data to a managed environment.
   - Develop a capability to monitor – on an ongoing basis – unmanaged PII
   (providing visibility) combined with the ability to then manage such PII
   (providing control).

Endpoint Detection & Remediation (EDR) solutions enable organisations to
perform investigation and remediation across their entire IT estate, at
speed and at scale. This means that EDR tools can firstly help find traces
of PII in unmanaged locations as well as automate the remediation process
of either removing or relocating such data.

A good EDR solution should perform such remediation in real-time, and make
it easy to configure the remediation steps as easily repeatable
instructions for ongoing maintenance purposes. Speed, scale and automation
are key here. Together, these form the essential ingredients for a solution
to address problems of “hidden PII” cost and risk.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180730/5ec09bb9/attachment.html>

More information about the BreachExchange mailing list