Now that the European Union General Data Protection Regulation (GDPR) has been in place for about a year, managing big data and automating workflow are two significant challenges organizations face as they continue tackling data protection, International Data Cooperation European Security Research Director Martin Whitworth said.
During a Forcepoint webinar reflecting on the first year of GDPR and what challenges remain for its future, Whitworth touched upon the large data lakes organizations have that likely process personal data – a problem that has led many companies to over-comply with GDPR by deleting too much data.
Whitworth said that organizations could stop forcing themselves in a binary choice of keeping or deleting data through encryption methods in pseudonymization and anonymization. These would “de-risk” and “de-identify” data.
“Maybe you don’t know what you can do at the moment, so maybe encrypting and locking off-site is an option until you’ve got the answer – as long as you can demonstrate to supervisory authorities, if challenged, that you have made it unavailable to processing,” Whitworth said.
Amid the issue of figuring out how to safeguard and use data, organizations are also grappling with how to move from a state of manual compliance with GDPR to operational compliance, Whitworth added.
“All too many organizations look at data protection by design and default and only apply it to application development or product development,” he said. “They’re not looking at the whole innovation process.”
For data privacy protection to be interwoven across an enterprise rather than treated as a compliance exercise, automation and orchestration will be essential. Whitworth said that subject access request (SAR), which grants individuals the right to access their personal data, is one area of GDPR enforcement in need of automation, as it will allow people to process SARs automatically and more easily.
Automation and orchestration are also key to mitigating third-party supply chain risk, which Whitman said is also important in developing SAR.
“Unless you’re doing automation and orchestration, then all you’re doing is saving up a huge manual backlog again,” Whitworth said. “And if you thought it was difficult to deal with a subject access request, think about if you’ve got to go down to your third, fourth, fifth parties in your supply chain to assure … a third supervisory authority that you’re doing the right thing.”