In my previous post we explained how Veeam, as a Swiss-based company with many European customers, needs to be compliant with GDPR just like many other companies that handle data for European citizens.
I also promised that we would share our learnings to help you in your compliance process. Our lessons learned can be brought back to 5 key principles:
- Know your data
- Manage the data
- Protect the data
- Documentation and compliance
- Continuous improvement
Today, I want to go deeper on the first principle: Know your data.
The first essential step that you need to take is to determine if your organization has personally identifiable information (PII) of an EU resident. I have had several conversations with organizations which believed that they did not hold this data. However, after delving a little deeper, we quickly realized that they did hold this information and were directly affected by GDPR compliance.
PII is a very broad category of information. It is ANY data that can be used to identify an individual. One quickly gravitates toward obvious information such as name, contact information, or pictures; but PII can include many other forms of data. Without attempting to provide a comprehensive list, PII also includes IP addresses, location data through an app, feedback forms, data from reward programs and more. Article 4 defines PII as follows:
Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
Not only is it important to determine the presence of PII, but the GDPR also includes even more strict regulations for something classified as sensitive PII. Sensitive PII includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life. This data is a special category of PII that is subject to additional protections.
Also, know that you must look at more than just customer or external data. Within your organization, your employee’s data (mostly with HR) is also categorized as PII. If you employ any European employees, it means that you need to be aware of this data.
Last but certainly not least, you must understand who has access to this data and where it is located.
Obviously, this is a task easier said than done. One of the approaches is using a technical solution that can map your data. These solutions are only as effective as their definition policies. Some solutions learn as they gather and analyze data, adding additional definitions to improve results, while others are dependent on manual settings. In both scenarios, it is of critical importance that the solutions are able to discover and map ALL your data.
Veeam went through the process of creating specific surveys (adapted per business unit) and sent those to all business units across the world. Some examples of those surveys will be made available with our upcoming whitepaper so that you can adapt them to your needs and use them internally to do the same exercise.
One important tip: you should include all business units including regional and non-EU business units. For example: our regional marketing team in North America had to go through the survey also. As they are responsible for leading events in North America, they own data from European citizens who fly internationally to attend these events.
Another additional factor to note is that as you build processes to understand your data, it is helpful to create flow charts that map the flow of PII data across your organization AND to your third-party partners. Possibly some of the technology solutions you have in-house will be able to do that for you automatically. In the case of Veeam, the Veeam Availability Platform will be able to give you an entire picture of your backup environment and the flow of that data.
Know your data is the first and probably one of the most important steps to take. Many organizations are not aware of what data they own, the breadth and scope of this data, and where that data is located. If you have a good insight and understanding of your data, the next steps will become easier.