General Data Protection Regulation: Knowing your data Title Prepared by: Paul Barks, Managing Consultant
Table of Contents 1. Introduction... 3 2. The challenge... 4 3. Data mapping... 7 4. Conclusion... 10 5. Further information... 11 6. About NCC Group... 12 NCC Group Whitepaper 2017 2
1. Introduction The EU General Data Protection Regulation (GDPR) will come into force across all member states, including the UK, on 25 May 2018. It will provide a common baseline for data protection across all of the member states and its consistent approach and requirements will benefit organisations with operations in multiple EU countries. The geographical scope of GDPR is not tied to EU membership and reaches far beyond the borders of the EU, including any organisation providing services and/or goods to individuals within the EU, as well as those monitoring the behavior (such as being tracked on the internet) of EU citizens. GDPR is about giving people back control of their personal data. To be able to do this effectively, data controllers and processors will be accountable for understanding the flow of any personal data they use, from the point they receive or collect it, to where and how it is stored, who it is shared with and how; a process called Data Mapping. This whitepaper discusses the importance of knowing your data and how to carry out data mapping. GDPR is about giving people back control of their personal data. NCC Group Whitepaper 2017 3
2. The challenge GDPR defines personal data as any information relating to an identified or identifiable natural person ( data subject ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data under GDPR is therefore broader than it was within previous data protection legislation across the EU; notable inclusions are biometric data (i.e. fingerprints, voice and facial recognition data) and online identifiers (for example IP addresses and cookies). Why do you need to understand your data environment? Data Mapping is an essential process when working to understand the risks faced, which will ultimately inform downstream activities, such as a risk assessment and treatment. It is clear that Data Mapping is needed to achieve some of GDPR s key requirements, however, it is not mandated within GDPR. Examples of the requirements include: Article 5 Principles relating to the processing of personal data: GDPR has six principles, including the principle of data minimisation which states: Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This means that organisations must limit the personal data they are collecting to only that necessary for the purposes for which the data is being processed.. Article 15 Right of access by the data subject: An individual can request access to their personal data held by an organisation. In order to adhere to this requirement, the organisation must know where the personal data is stored. It must also, of course, have a process for extracting this data. Article 17 Right to erasure: An individual can request that their personal data held by an organisation is deleted (in certain circumstances). To be able to meet this requirement an organisation must know where that data is stored. Article 32 Security of processing, Article 25 Data protection by design and by default and Article 35 Data protection impact assessment require the organisation to know their risks, including in the event of a data breach, while Article 33 Notification of a personal data breach to the supervisory authority and Article 34 Communication of a personal data breach to the data subject require the organisation to know the volume and categories of data to support their reporting. NCC Group Whitepaper 2017 4
Knowing the location of your data is also essential for transfers outside the EU, as this requires additional controls to ensure compliance with GDPR. So, while data mapping is not explicitly called out in GDPR, it is clear that an organisation cannot claim to be compliant with the law if it does not know what personal data it has and where that data is. It is vital that where third parties are involved in the collection and/or processing of that personal data, the data controller must know about it. Who does this impact? While there is a need to understand where the data is within the organisation, it is important to understand that this is not just an IT issue. And although the IT function plays an important part in the collection and use of personal data, it does not typically determine the data an organisation needs to collect and process to achieve its business objectives, or how to go about getting that data. Teams across all business functions, both internal and external facing, must take responsibility for their own data and are the best people to assist in identifying what data they need, why it is needed and who they need to help them process it. In addition to these teams needing to identify their business function s data requirements, it is also important to consider: Legal & compliance: How long should the personal data be retained? And how do you monitor adherence to GDPR requirements? Governance requirements: Do you have policies and procedures in place for your people to adhere to the requirements of GDPR? Human Resources: how do you raise staff awareness of the GDPR requirements, particularly where external resources are used, such as contractors? Information Technology: how do you implement the technical aspects of the policies, procedures and GDPR requirements? Where is the data? Having recognised that there is a need to understand where personal data is located within the environment and that this impacts all business functions, the data then needs to be discovered. This may seem to be a relatively straightforward exercise, however, organisations need to consider all possible locations which may include: End user devices (desktops, mobiles, laptops) File servers Virtual environments Cloud environments (including those not sanctioned by the IT function) NCC Group Whitepaper 2017 5
Databases Email Websites Intranets External organisations Physical file storage (including internal and external paper archives) All potential locations need to be considered in order to identify personal data that exists across the organisation and where this data has been passed to third parties. It is typical to find that data is often hidden in unexpected places and duplicated throughout an environment, adding to the complexity and data risk. It is also important to remember that discovering where personal data resides is the first step. Sufficient time and resource should be allocated to the follow-on activities that remediate and minimise both duplicated data and that which is not required this is either data which has been collected where there is no business need to hold the data or that which exceeds that organisation s defined retention periods. Teams across all business functions, both internal and external facing, must take responsibility for their own data NCC Group Whitepaper 2017 6
3. Data mapping What is the best approach to mapping the data? There are different approaches that can be used to map data but they come down to using either a workshop led interview approach or a technology led approach. In our experience, the approach that provides the most comprehensive and actionable output for an organisation is a workshop led approach, as it can often identify areas of concern in which technology can then be deployed to better understand the specific risks. A one size fits all data discovery tool does not yet exist, which is why it is important to understand what the data risk is before spending time and money that may not provide a suitable solution. The benefits of this approach are that: Workshops provide an understanding of the business, including why data is captured, where from and how this is done. The context of the data, and why it is critical to the organisation, is understood. Workshops enable key individuals with many years experience in the organisation to provide input and identify key locations where data is stored as well as processes that may be introducing unnecessary risk. The output of the workshops can provide a focus for the use of discovery tools to identify and extract data in identified locations across the organisation, rather than potentially costly use across all devices within the organisation. It provides a greater understanding and quality of output as opposed to large volumes of data which may include several false positives and lack the appropriate business intelligence. What is the output from a data mapping exercise? The objective of the data mapping exercise is to understand the data environment. To achieve this, we identify ingress, processing, storage and egress of personal data across the organisation. During the workshops one of the key outputs is the Data Asset Inventory (DAI). The DAI is populated to show the different data types, what volumes are processed and by whom, where the data is stored, and in what format (electronic and/or physical). NCC Group Whitepaper 2017 7
Figure 1 The Data Asset Inventory The DAI should be a living document, maintained by the organisation following the initial work to populate it. Doing so will: Assist with identifying duplicate data fields and those that are not required therefore minimising the amount of data held. Give the organisation the ability to respond quickly and effectively to requests from data subjects, including Article 15 (Right of access by the data subject) and Article 17 (Right to erasure). Facilitate compliance with its data retention policy (and therefore assist with deletion of data). The second output is a Data Flow Diagram (DFD), created to show the flow of data across the organisation from how it is collected to how it is stored. This step facilitates an understanding of the data estate and how the potential data storage locations are linked, as well as ensuring that all data storage has been considered. NCC Group Whitepaper 2017 8
Key Core Application Storage UK Operations Org A Org B Partner App T Germany App L External Company SFTP Department App A SFTP Report Org - London Operations Hard Copy Locked Cabinet VPN SFTP VPN App F App B HTTPS Contract Employee Data: Name, Email, Number, Address Date of Birth Bank Account Number Customer Data: Name, Email, Number, Address Date of Birth C:// SQL Report Org G HTTPS HTTP www. HTTP Ops SharePoint Back-up Repository HTTPS Email Report Hard Copy Contract HTTP SMTP HTTPS App C HTTPS SMTP Dedicated Fibre Ring Customer Figure 2 The Data Flow Diagram Both the DFD and DAI can each help with identifying where discovery tools can be utilised to focus a search for personal data. The alternative - searching across the entire IT estate - can be both uneconomical and unnecessary. NCC Group Whitepaper 2017 9
4. Conclusion There is a clear requirement to understand the data within an organisation to assist with compliance of GDPR. However, there are additional benefits including: making the data easier to find, improving the quality of the data for analytics within the organisation and increasing customer trust by being able to demonstrate the ability to manage data effectively. While the scale and scope of the potential fines should not be ignored up to 20 million or four per cent of global turnover, whichever is greater - it is clear that there are other reasons for getting GDPR right. Data mapping is therefore not simply a nice to have, but an essential foundation of your privacy programme that will help to assist you in understanding the data that you process and enabling you to achieve compliance with the requirements of GDPR. NCC Group Whitepaper 2017 10
5. Further information NCC Group is committed to helping clients prepare for GDPR. We offer a range of services from initial assessment through to transformation strategy. For further information about our GDPR services, please contact: response@nccgroup.trust We have authored a number of blog posts about GDPR and other relevant subjects and will continue to provide insight over the coming months. These can be accessed at: www.nccgroup.trust/gdpr NCC Group Whitepaper 2017 11
6. About NCC Group NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionising the way in which organisations think about cyber security. Headquartered in Manchester, UK, with over 35 offices across the world, NCC Group employs more than 2,000 people and is a trusted advisor to 15,000 clients worldwide. NCC Group Whitepaper 2017 12