[BreachExchange] Fat Data: Get the skinny on GDPR and test data management

[Audrey McNeil]

https://sdtimes.com/test/fat-data-get-skinny-gdpr-test-data-management/

Have you ever stopped to think about how much personal data is floating
around the world or in your company’s databases? You may have decades’
worth of salaries, addresses, job applications, social security numbers,
credit card numbers and on and on. If you factor in social media groups
where we’ve willingly handed over our personal information for many years,
then the amount of personal data stored by companies is mind-boggling!
Companies are sitting on mountains of what I call “fat data,” or data
that’s rich with sensitive personal information.

Companies will soon, however, be held to a higher standard when managing
personal information. The end user will have more say in how their personal
data is managed and where it’s being stored.

In just about two months, the spotlight will be shined brightly on
companies who manage European Union citizen’s data with the enforcement of
GDPR, the EU General Data Protection Regulation. Penalties for
non-compliance are steep with potential fines of up to 20 Million Euros or
4% of annual revenues. For that reason, and several others, U.S. based
companies are taking GDPR seriously. Facebook, for example, is rolling out
a global privacy center in response to GDPR, giving users a single location
where they can manage their privacy settings.

GDPR gives EU citizens more control on how their personal information is
used, even providing the ability to have their data expunged completely
under the “right to be forgotten” provision. Companies will have to comply
if an individual requests that their data not be used for any purpose other
than to provide the end user with a product or service. Because this new
rule impacts how data is used for testing purposes, gone are the days of
free wheeling use of anyone’s data for the testing of applications.

Developers and testers take notice – GDPR is watching
It’s time for organizations to take a close look at how their development
teams are using sensitive data when testing.  A recent survey indicates
that most companies are woefully unprepared for GDPR, most not even having
a plan in place to begin their complex compliance journeys. Having worked
in this industry for many years and specifically with compliance products,
I know that having some compliance plan in place is better than having no
plan. If a security breach occurs with any of your databases, even those
used for testing, you’re going to attract the attention of regulators from
all sides of the globe. If your company is taken to task for a breach, it’s
better to show that you have a plan and are moving towards compliance, even
if you are not yet fully compliant.

Compliance is actually a low bar in terms of data security. Companies need
to adopt far stricter controls than what is specified in most compliance
regulations. PCI-DSS, for example, is a mandate to get companies to provide
stricter controls when processing account data and primarily credit card
data. GDPR is slightly different in that it gives more power to the owner
of the data, the end user. This regulation will have a far-reaching impact
on any global company, regardless of their geographic location. If your
organization or company stores EU citizens’ data, then GDPR affects you.

Where to begin
First, don’t wait for your compliance officer to come to you. If they
haven’t talked to your team about GDPR, then talk to them about how GDPR
may impact your company. Ask these questions:

1. Does your company store EU citizens’ data on any database within your
company?
2. Where is your sensitive data stored? For example, does your company use
a third-party provider to store your data and if so, do they have a GDPR
plan in place?

The initial challenge with GDPR compliance will to be to know where your
personally identifiable data (PII) is stored. Most companies have no idea
and will need to identify tools that can help them scan their databases for
PII data, noting if it’s that of EU citizens.

I believe that GDPR is actually an opportunity for companies to put their
“test data” houses in order. The new legislation is will pressure companies
to know where PII data is stored, how many copies, and what safeguards are
in place to protect it. Test data is an appendage to production data and
should be managed as carefully as production data. GDPR can be a catalyst
for companies to implement a more thorough test data management solution.
And furthermore, taking the proper steps to comply with the GDPR is not
only an opportunity for your company to further invest in technology, but
it also enables trust and loyalty with your customers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180320/b15f5bbc/attachment.html>