New EU GDPR will come into effect May 2018 and it will be bigger issues then expected and understood and it's the Law.
One key questions will be what is personal data, where in all systems it has been stored and for how long. Do we know where the user's personal data is, how would we are are we even able to found personal data from our data mass. Do we personal data only in managed data like in application and data bases or do we also have personal data in unmanaged data and honestly can some one explain what is unmanaged or dark data and do we have it and how much.
Short answer is that yes you have and usually a lot. Veritas used the term Databerg like iceberg - you will only see the 10% and the rest in in the Dark under your eys and understanding. It is history data, data where the policies and control has failed.
You have just deployed new tools but not migrated or deleted the old one - yes deleted. Normally corporate takes backups from end user workstation to the local file server witch is then replicated to central data center and then stored to backup tapes. And this happens for the same file in multiple users computer -- backed up the local Branch Office file server -- backed up to centralized data center and included to the backup tapes. And for sure it is also in email and pst files backed up same way as a file and email backups. Sounds familiar?
If not - I don't believe
And based on earlier, what if customer or you as an employee want to be forgotten, how do you ensure that your yearly reviews or saved proxy log files from authenticating proxy will be deleted and not restored from backup in crisis when the systems has crashed and your data come back to the system and visible. IP address is personal information here explaining that you as an individual has tried to connect from your PC to Internet regardless if the target has been against corporate policies - maybe
One questions will be pictures and all legal topics how for example you can publish pictures to web with others than you, also the pic's meta data can include the location witch actually helps to identify where the picture has been taken and who are in the picture. And what IF - I wanted to be forgotten but is that enought to delete the picture where is also other people??
Questions, questions but very hard to find answers.
But one key here is to see this as an organizaton wide issue and think what kind of business units and roles we have and what kind of data they manage. Is there personal data, if yes - do we collect only the minimum or just for sure a little bit more, do our data processors knows and have we guidelined them how to work with our data and if we dont have shared and trained them, how they know how to work. Should they make their own guides how to work with our data and does this impacts and them to registrar while trying to define the how to work - or should they just rise hands and stop working if not guided.
To Be Continued....
"All comments are my own"
No comments:
Post a Comment