Last week my colleague Mark Cassetta described how data categorization could be used as a means to simplify information classification and protection. This week I would like to expand on this concept to show how categorization can be put into practice. The European General Data Protection Regulation (GDPR) only 12 months away. Yet, only 10 percent of organizations impacted by the GDPR report that they are “completely ready” to comply with the regulation (Osterman Research), it seems like this would be a great example for highlighting the use of categorization.
The key goal of the GDPR is to ensure that any organization that controls or processes sensitive personal information about EU residents also properly protects the data. In fact, organizations must show that data protection is a fundamental design aspect to their data workflow and processes.
So, where does an organization start?
The same place they should start for any data protection project; they need to find and clearly identify the sensitive data in question. Because the GDPR mandates that each individual can request to see, edit, transport, or have the data deleted, knowing the location of files that contain personal information is paramount.
With very little time to get systems, policies, procedures, and people aligned, implementing a detailed data classification schema is not practical – which is fine! We like to take a “crawl, walk, run” approach with our customers anyway. First, we help them resolve their primary use case (the “crawl”) and when they are comfortable with that first step, we expand their use of classification to solve other workflow, security, and compliance hurdles. To set the stage for GDPR compliance (and where automated classification is not practical), simply ask your users if the data they are working with contains personally identifiable information (PII): Yes or No.
That’s it. One question.
A simple task for the user provides the essential ingredient to GDPR compliance. Once the data is identified, compliance policies to be built across the enterprise. TITUS policies help protect users from making mistakes, but the classification metadata can also empower your existing data security ecosystem, such as DLP, encryption, records management, reporting and insider threat detection, and more. For example, answering “Yes” could automatically limit how the information can be shared, or trigger encryption. By enabling your other data security systems to read and react appropriately when they see a user has answered “Yes”, you have designed personal information data protection into your organization workflow and data security processes.
According to Osterman Research, only 27% of organizations have confidence that they can appropriately classify records or mark it to limit processing. If you are part of the remaining 73%, TITUS can help.