Data governance and security
June 2018, This Week's Editor's Pick, Cyber Security, Security Services & Risk Management
Data governance is no small task, it requires expertise and time – and money. A data governance project is divided up into various phases from planning a strategy, to finding out what data you actually have and how and where it is stored, to implementing the cleaning and integration of data, and keeping the structure in place for the long-term. And that’s the ‘For Dummies’ version.
If you throw GDPR and South Africa’s PoPIA (The Protection of Personal Information Act) into the mix, things become more complicated as data governance is no longer a good idea or something that will add value to your business, it’s a legal requirement for most, if not all businesses.
As with all things data related these days, security is a key component of data governance. To find out more about data governance and the related data security issues, Hi-Tech Security Solutions asked a few data experts for some input into the processes and requirements for successful data governance.
We spoke to:
• Mike Rees, territory account manager for Commvault in South Africa,
• Gary Allemann, MD at Master Data Management, and
• Gregg Petersen, regional vice president at Veeam.
Hi-Tech Security Solutions: How do you go about finding out what data you have in databases or in other files – such as spreadsheets or other files stored on users’ computers?
Rees: Establishing what data the organisation has, whether it is held in databases or in files stored on a computer is a serious challenge. Previously, data was stored in the data centre, however, today data can be stored on one’s phone and laptop as well as in the cloud and even on social media. Companies need to get a handle on this and manage data where it resides. Ideally, they need to be able to index this data making it easier to manage and find when required.
Allemann: When it comes to finding out what data you have in your database and in other files, organisations need to look at running automated scanning of their data sets, identifying what data is within those files. Unfortunately, the business cannot rely on the title of a column or the heading of a file, as sensitive data may be captured in fields that were not intended for this purpose. Tools like Syncsort Trillium Discovery can automate ‘data profiling’ for databases.
Petersen: Before I answer that directly, the first essential step that you need to take is to determine if your organisation has personally identifiable information (PII) of an EU resident. You must look at more than just customer or external data. Within your organisation, your employee’s data (mostly with HR) is also categorised as PII. If you employ any European employees, it means that you need to be aware of this data.
Key to the success of your project to find out what data you have, you must understand who has access to this data and where it is located.
Obviously, this is a task easier said than done. One of the approaches is using a technical solution that can map your data. These solutions are only as effective as their definition policies. Some solutions learn as they gather and analyse data, adding additional definitions to improve results, while others are dependent on manual settings. In both scenarios, it is of critical importance that the solutions are able to discover and map all your data.
One important tip: you should include all business units, including regional and non-EU business units. For example, our regional marketing team in North America had to go through the survey also. As they are responsible for leading events in North America, they own data from European citizens who fly internationally to attend these events.
Hi-Tech Security Solutions: What process can you follow to classify the data?
Rees: There are a number of ways to back up, index and catalogue the organisation’s data and there are many tools available when it comes to sensitive data. For instance, Commvault has recently released a new tool that helps manage and access sensitive data while still being compliant.
In order to classify data correctly, businesses need the right tools and programmes in place to categorise and classify both sensitive and general data. However, these tools still need to be user-friendly, otherwise users will find workarounds to avoid using them if they are cumbersome, challenging or tedious to use.
Allemann: In order to classify data, organisations should look at creating and building rules that classify the data when an automated scan is done. For instance, they can use word-based rules to find certain information and classify, or in the case of ID numbers look for 13-digit numbers, just as you would do when setting data quality rules.
Petersen: Knowing your data is the first and probably one of the most important steps to take. Many organisations are not aware of what data they own, the breadth and scope of this data, and where that data is located. If you have a good insight and understanding of your data, the next steps will become easier.
A key factor to note is that as you build processes to understand your data, it is helpful to create flow charts that map the flow of PII data across your organisation and to your third-party partners. Possibly some of the technology solutions you have in-house will be able to do that for you automatically. In the case of Veeam, the Veeam Availability Platform will be able to give you an entire picture of your backup environment and the flow of that data.
Hi-Tech Security Solutions: What is considered personal data that would be impacted by GDPR and PoPIA?
Rees: Any data that relates to an individual’s identity will be impacted by both the General Data Protection Regulation (GDPR) in the European Union and the Protection of Personal Information Act (PoPIA). For example, ID numbers, mobile number, any demographic information and even credit card information, is considered to be personal information. With the implementation of these regulations, personal data will hopefully be treated with the respect it deserves.
Allemann: The list of personal data that will be affected by the General Data Protection Regulation in the European Union (GDPR) and the Protection of Personal Information Act (PoPIA) in South Africa is long. Any information relating to a person or, in PoPIA’s case, to a legal entity will be affected by these regulations.
Petersen: PII is a very broad category of information. It is any data that can be used to identify an individual. One quickly gravitates toward obvious information such as name, contact information or pictures; but PII can include many other forms of data. Without attempting to provide a comprehensive list, PII also includes IP addresses, location data through an app, feedback forms, data from reward programmes and more. Article 4 defines PII as follows:
“Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
Not only is it important to determine the presence of PII, but the GDPR also includes even more strict regulations for something classified as sensitive PII. Sensitive PII includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and data concerning health or sex life. This data is a special category of PII that is subject to additional protections.
According to the PoPIA Act, personal information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person. Section 19 of PoPIA deals with security safeguards, and says organisations must take appropriate measures to protect personal information against loss, damage or unauthorised destruction and unlawful access or processing. It further states that the responsible party must take measures to identify risks, maintain safeguards, and ensure that these safeguards are continually updated in response to any new threats.
The responsibility, therefore, lies with the business to keep its security and data protection up-to-date and to make sure anybody who handles data on its behalf does the same. Additionally, as the responsible party, the onus is on the organisation to ensure its suppliers comply with the requirements of the Act. Even though much of what PoPIA entails revolves around good business practice, there are still organisations that do not feel it is necessary to comply.
While most companies easily grasp the importance of making sure personal data does not fall into the wrong hands, fewer understand the importance of protecting it against loss or corruption. Losing the personal data of customers can cause serious problems for a company.
Hi-Tech Security Solutions: Is security data – such as video surveillance of people or biometrics, such as fingerprints – included in GDPR and PoPIA?
Rees: Video surveillance and biometric information is definitely considered personal information and will be viewed as such by both GDPR and PoPIA.
For example, many logistics companies have their fleet of trucks installed with cameras to track and document their vehicles movements in case of an accident. However, if this camera is pointed towards the road and is able to show another vehicle’s licence plate and time they were travelling, then this constitutes as documentation of personal information – this could also include sensitive company data. It is therefore imperative that companies that do have video surveillance and biometrics systems ensure that the data is stored correctly and make sure that regulations such as PoPIA and GDPR are adhered to.
Allemann: Yes, security data such as video surveillance and images of individuals, is considered to be personal information. However, if an image is posted or publicised with the persons permission or by themselves, then GDPR and PoPIA does not apply and this information or image is now available to the public domain.
If an image, video or fingerprint is taken without the individual’s knowledge then this would go against GDPR and PoPIA regulations. For example, if a person steals items from another individual in a store, the video surveillance and any personal information relating to the criminal cannot be presented to the victim by the store. In this case it would be best to get the authorities involved. It is also important to mention here that the PoPIA Act does not protect the criminal from being identified, it only forces one to go through the correct channels of the law.
Petersen: GDPR specifically calls out biometric data as a ‘sensitive’ category of personal information, warranting robust protection. The GDPR defines biometric data broadly, in many cases requires privacy impact assessments for its processing, and empowers Member States to pursue divergent protections for biometric data.
The PoPIA Act does not make mention of video surveillance, but states that the biometric information of a person is considered personal information. PoPIA defines biometrics as a technique of personal identification that is based on physical, physiological or behavioural characteristics, including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition.
Companies should carefully consider whether they really need biometric data as the data subject has to give explicit consent and they will need to have lawful ground to process the data, according to the GDPR. As such, data controllers who are processing or may process biometric data should take note.
Hi-Tech Security Solutions: How can you secure all your data, even unstructured data, to ensure everything is compliant?
Rees: The best way to secure an organisation’s data is to make sure there is a fine balance between who can access the data and an acceptable level of risk. Not everyone within the business should have access to every bit of information, however, these employees should be able to request information in order to make the process auditable and compliant.
Companies should be aware of PoPIA and their employees should be educated and trained in the correct handling of personal information. This should not be limited to internal staff but should include external individuals that are contracted by the organisation. Consideration should be given to building a clause into an employment contract relating to PoPIA/GDPR awareness requirements.
Allemann: To secure an organisation’s data, one should always start with data governance. This means defining rules and policies around the use and storage of personal data.
In addition, organisations need to start changing their habits around working with personal data. For instance, recognising whether certain information can be added to an Excel spreadsheet, or can be included in an email. It is all about change management within the organisation and trying to help people understand the new regulations and be aware of what they can and can’t do.
Petersen: As mentioned already, one of the first pieces of advice a data protection officer or GDPR expert will offer is to put the time and energy into building a comprehensive data map. This should let you quickly see where data is entering your organisation, how it is being collected, and the type of infrastructure and storage solution that underpins its existence.
Whether it is PoPIA, GDPR, or something else entirely, there are several guidelines to keep in mind when it comes to data compliance. These can be classified into five principles:
• Knowing your data,
• Managing your data,
• Protecting the data,
• Documentation and compliance, and
• Continuous improvement.
Firstly, data knowledge is gained by identifying the PII your organisation collects and who has access to it. Managing data is geared towards establishing the rules and processes to access and use PII. Data protection revolves around implementing and ensuring security controls are in place to protect the information and respond to data breaches. As the fourth principle indicates; documenting company processes, executing on data requests, and reporting any issues are critical to the success of getting to the compliant stage. Finally, an organisation must constantly evaluate procedures for data privacy and protection, and test and refine their protocols as the digital business evolves.
There are many information security articles about protecting your data. Implementing and ensuring data protection heavily relies on tools and technology. While tools and technology are essential in protecting data, it is not sufficient. Protecting your data comes from Article 25: Data protection by design and by default, and it is more than technology alone.
This means that you need to be able to make the data available at any moment or make it available again as soon as possible when something has happened. Putting security on your gates, both physical and digital is required, but extends far beyond this: restricting access, auditing who gains access and does what, monitoring, and implementing protections against malware. Finally, ensuring a solid backup and availability plan with regular testing and validation is essential. We believe that backup and recovery should become a required part of all new projects and built into the fabric of the organisation.
It is also important to realise that despite best efforts, data protections may be breached. Plans and processes for this event should be introduced. Most organisations will have heard about the breach notification principle. If you discover a breach, you are obliged to notify the authorities as soon as possible. Implement a plan that specifies the responsibilities of each team in the event of an incident.
Last, but certainly not least, don’t forget about your data assessment impact. Whenever you need to perform maintenance or upgrades, there is always a risk associated to it. Put processes in place and test updates in advance of their rollout.
Hi-Tech Security Solutions: What are the benefits of compliance beyond just adhering to regulations?
Rees: From a user perspective, the benefit of adhering to PoPIA and GDPR is that the organisation does not alienate the customer. If emails are sent out by the business, the receiver can now choose to stop receiving these emails. Companies can then be assured that whoever chooses to continue receiving information is the correct target market, but also ensures that they do not create a bad relationship with those who no longer want the information sent to them.
In addition, by complying with regulations such as PoPIA, the organisation and public understands that their data is secure and enables a sense of trust for the customer. From a business perspective, other companies will also be more inclined to do business with an organisation that adheres to these regulations. Additionally, organisations planning to do business with European Union companies will find it easier if they can prove compliance with PoPIA and GDPR
Allemann: Businesses can benefit immensely from being GDPR and PoPIA compliant. Namely, they build trust with the consumer because data is handled ethically and the organisation can be more competitive due to the fact that consumers will be more inclined to do business with an organisation that adheres to these regulations.
Petersen: The most important thing to remember is that even when the business becomes compliant, the journey does not stop. It is not some form of ‘fire-and-forget’ way of managing data. Compliance, just like a business continuity and data strategy, is an ongoing process that requires focus that integrates with the entire strategic approach of the business.
In certain respects, the growth of data and the pressure to have it always-on and available, combined with a startling number of global cybersecurity breaches have helped refocus efforts around compliancy over the past twelve months. Companies understand the value of data in addition to being able to access it irrespective of location or device used. The digital world means data has become fundamental to build competitive advantage and gain insights on everything from buying behaviour, customer preferences, conversion rates, and customised offerings.
Aspects like understanding how personal data is currently being processed and how it needs to change under new legislation, appointing a data protection officer focused on all aspects of compliance, and understanding cross-border data flows must become part of one’s standard operating procedure.
Hi-Tech Security Solutions: What rules should you set in place to ensure you remain complaint in future?
Rees: To remain compliant when it comes to regulations like PoPIA, it is all about good governance. Adding to this, businesses also need to keep it practical – if it makes sense to protect the data – then do it, if it doesn’t – then don’t. It is as simple as that.
Organisations should not keep information for the sake of keeping information – ask questions like, ‘is this data relevant to my business’?
For a well-managed organisation, the value is in the data. To derive benefit from this data it needs to be managed, protected and available when required.
Allemann: PoPIA requires that organisations put processes in place to ensure that personal data is only used for the purpose for which it was intended, that it is protected from unauthorised access and that there is accountability for non-compliance at all levels.
Compliance needs to stem from the top of the organisation, where King IV makes the CEO accountable, right down to the data clerk. At each level, we should be able set policies based on common sense. Does my use of the data make sense to deliver in the intended purpose?
Petersen: Decision-makers need to embrace a new way of maintaining an always-on environment. This means they must integrate all elements of compliancy into their backup plans and vice versa. The one does not operate in isolation of the other.
It’s worth remembering that, while the road to PoPIA and GDPR compliance is by no means straightforward, a company-wide effort to improving data protection also brings with it a unique commercial opportunity for businesses that do it well – not least the chance to stay competitive and make your business fit for the future.
In a post-GDPR world, companies will have to be much more transparent about why they are collecting data and what they’re using it for – i.e. if they’re mining it from third-party apps, then using it to create behavioural profiles and influence political events (ahem, Cambridge Analytica). But more than that, a business’s reputation and revenue will come to depend on that transparency. Their ability to harness the power of data for commercial gain will first rest on being a reputable brand that has built genuine consumer trust. The balance of power is fundamentally changed.
One of the big changes the GDPR is bringing about is greater citizen rights when it comes to data. To put that into context, over the past three years, Google received 2.4 million requests for the deletion of search engine results – that number is going to rise rapidly when people understand more about their right to be forgotten.
Beyond being forgotten, people will also be able to access data, or to request it for themselves (in a format they can digest). To ensure this right doesn’t become a time sink for your organisation, you should make sure you have a way to tag the location of each data point so you can access it when necessary. It’s a small change that could yield big dividends.
Businesses praying for a shortcut to compliance face an uphill climb, but those who capitalise on the opportunities that PoPIA and GDPR present and have already started to take a proactive approach to data protection will be the real winners in the end.