Discover PII Data: First step toward Data Privacy Compliance
Data privacy regulations require organisations to know the PII data of their customers which they are collecting, storing and processing to offer their services. On the ground, it’s surprising how unprepared many organizations are for the data privacy regulations. The first step in the process is to gain a clear view of all the personal data the organization holds and where it is. This blog will look at the obligations for working with data under various data privacy regulations and how Data Discovery is essential to build a strong foundation.
Know & Manage personal data
The data privacy regulations are designed to bring privacy in the digital age by addressing all aspects of how organizations capture and process personal data. It encompasses all data that would allow for the direct or indirect identification of an individual. Direct personal data includes anything that allows you to identify someone from that single piece of data such as an email address or driver’s license. While indirect data covers different pieces of data that, in any combination, can identify the person.
Under various data privacy regulations, organizations must:
- Know what data they hold and where it resides
- Know how the data is being processed and shared
- Be able to identify specific data for flagging and removal if necessary
- Implement pre-defined policies for automated data access privileges
- Introduce data protection by design and by default into all their systems
- Ensure that all consents for data usage are correctly obtained and managed
- Ensure that personal data is held for no longer than it is needed
- Conduct regular data risk assessments
The role of Data Discovery
Do you know where all the personal data in your company resides? The answer for the vast majority will be a ‘no’. Yet, that’s exactly what data privacy regulations demands of you. Even medium-sized companies can easily be looking at terabytes of information amassed over many years. They have data hiding in legacy systems, file shares and email systems, databases etc. In many cases, the people who originally created the data have now left the organization. Given this situation, it may not be so surprising when security professionals say that they don’t know where their sensitive data is. This is no longer acceptable by data privacy regulations.
Data Discovery is a combination of software tools and processes that let you identify and begin to control the management of the personal data that you hold. It covers three main areas:
You must identify where personal data is stored on your premises or in the cloud. Data discovery tools – such as Klassify Data Discovery & Compliance Suite – can identify any data held in any format such as documents, presentations and emails. Data discovery focuses on the repositories and ‘silos’ of data to provide an accurate picture of your personal data.
Good data discovery tool must automatically classify and manage all personal data spread throughout your organization. They provide advanced capabilities to enable the fast and accurate identification and tagging of data. These tools have intelligence built-in to understand the context of data to ensure pinpoint accuracy and can be tuned for specific privacy regulation definitions.
Data discovery should give you the ability to monitor, track and trace the personal data within your organization to ensure that you have visibility of all activities taking place on that data. This will help to quickly identify the source of data breaches and enable you to comply with notification requirements should a breach occur.
Whether you think that your organization is in the position to comply fully or partially with data privacy regulations, it’s essential that you are able to demonstrate ‘good faith’ endeavours in that direction. By conducting Data Discovery, you’ll show that you’re taking data privacy seriously and have taken the first major step toward compliance.