Let’s continue our journey that we started in the previous two blogs. In the first post, we gave a general overview of Veeam’s journey to GDPR compliance and shared our 5 lessons learned. In the second post, we went deeper in the first of those five principles.
- Know your data
- Manage the data
- Protect the data
- Documentation and compliance
- Continuous improvement
Let’s look closer at the second principle: Manage the data.
If you finished the tasks from the first principle and identified the personally identifiable information (PII) you own and where it resides, you can now start the process of establishing rules and processes to access and use that PII data.
The key questions here are:
- Who has access to the information (and know when they are accessing it)?
- Why do they access this information?
- What is the purpose?
Throughout this process, we learned that there are many distinct departments within your organization, each processing and handling PII data for unique reasons. This would include marketing, sales and human resources. One of the most critical of these departments is Human Resources (HR). Some of the data that HR owns or collects from your employees is not only considered PII data, but sensitive PII data. This comes with stricter security measures and protections. We learned that HR should receive special focus and attention while managing the data.
Managing our data is something we don’t do entirely in-house. Veeam has partnered with 3rd party vendors in managing that specific data. Make sure that you assess that 3rd party for their GDPR compliance when you establish a relationship with them, but also be aware that it still needs to be included in your processes and workflows. You remain responsible for the data whether it is in the hands of a 3rd-party vendor or not.
Who, why and what?
Not surprisingly, after understanding and classifying the full scope of their organizational data, many organizations realize that access to this data is not carefully managed. If you are using the templates that we provide with our white paper , you have also learned why they access the information and what they do with it (the purpose). This is the moment to create those workflows and processes and make sure that people only have access to the data when it is necessary to complete their business function.
Review also your opt-in disclosure agreements and revise those where necessary. GDPR now forces you to tell exactly what you are collecting, the purpose of the data and where it is used, and finally, how long you are storing the data. At the same time, implement the process to make it possible to reply to a request of people asking you what you are storing as well as the possibility for them to request a change or deletion of this data.
Last, but not least, you should examine the Access Control Lists for internal teams. It is not uncommon that internal IT staff has access to all data. Document this access, and ensure there is auditing when IT needs to have that access to be able to perform their work.
After knowing what your data is and where it is, you need to understand the reasons why it is being used and who has actual access to it. Use technical solutions and form partnerships with 3rd party vendors to learn how they handle the compliance. Understand that you remain responsible for the data. Adapt solutions where you can identify locations, and add tagging for PII and sensitive PII data. Create reports to audit when someone accessed the data. Plan for data restoration. (Knowing who has access to your production data is not sufficient when the restore operators can restore everything they like.) And last, but not least, as many “threats” will come from the inside, make sure you have physical protection to your infrastructure.