GDPR and Data Mapping

Grant Fritchey
1 May 201805:03

Summary

TLDRGrant Fritchie from Reggae Software discusses the challenges of GDPR compliance, emphasizing the importance of data mapping and understanding the types of data an organization holds. He highlights the risks of data breaches caused by employee error and negligence, and stresses the necessity of classifying data, reducing the attack surface area, and managing data in compliance with GDPR. Fritchie advocates for automating data management processes to maintain control and ensure GDPR compliance.

Takeaways

  • 📚 The primary challenge in GDPR compliance is understanding and mapping all the data an organization holds, and knowing where it resides.
  • 🔍 It's crucial to classify data under GDPR to determine the level of protection required for different types of data.
  • 🚨 A significant portion of data breaches are due to employee error and negligence, highlighting the importance of proper data handling.
  • 🔑 The 'right to be forgotten' under GDPR necessitates knowing where all data is stored to ensure it can be deleted upon request.
  • 🔍 Step 1 involves finding all data storage locations, including databases, servers, and cloud services like AWS.
  • 📋 Step 2 is about classifying the data to understand which data is private and should not be shared, and implementing controls accordingly.
  • 🛡️ Step 3 focuses on reducing the attack surface area by removing unnecessary mechanisms that could lead to accidental data leaks.
  • 💾 Step 4 is about managing the data in compliance with GDPR, which includes documenting and adhering to the regulations.
  • 🤖 Automation is key to managing data effectively, ensuring that data movement between environments is controlled and traceable.
  • 🚫 Manual processes can lead to data being moved without proper oversight, which is a risk for GDPR compliance.
  • 📈 Knowledge of the data and its location is fundamental to meeting all GDPR requirements, including the ability to remove data as needed.

Q & A

  • What is the primary challenge mentioned in the script regarding GDPR compliance?

    -The primary challenge is mapping and understanding the data an organization has, knowing where it resides, and classifying it according to GDPR requirements for appropriate protection levels.

  • What percentage of data breaches were caused by employee error according to the script?

    -10% of data breaches were caused by employee error.

  • What percentage of data breaches were due to employee negligence as mentioned in the script?

    -7% of data breaches were due to employee negligence.

  • What does the 'right to be forgotten' under GDPR entail?

    -The 'right to be forgotten' requires organizations to know where all personal data is stored so that it can be removed upon request, demonstrating compliance with GDPR.

  • Why is it crucial to know where data is stored in the context of GDPR compliance?

    -Knowing where data is stored is crucial for GDPR compliance because it enables organizations to protect data appropriately, manage it effectively, and fulfill requests like the 'right to be forgotten'.

  • What is the importance of classifying data under GDPR?

    -Classifying data is important to determine which data is private and should not be shared, and to implement the necessary controls to protect it as required by GDPR.

  • What is the suggested approach for managing data to ensure GDPR compliance?

    -The suggested approach includes finding all data, classifying it, reducing the attack surface area, and managing the data in compliance with GDPR, including automating data management processes.

  • What is the role of automation in achieving GDPR compliance according to the script?

    -Automation is critical for getting data management under control, ensuring that data does not get moved or processed inappropriately, and maintaining compliance with GDPR requirements.

  • What are some of the consequences of not managing data properly as per GDPR?

    -Consequences include potential data breaches, non-compliance with GDPR regulations, and the inability to fulfill requests like the 'right to be forgotten'.

  • What does reducing the attack surface area mean in the context of data protection?

    -Reducing the attack surface area means minimizing the opportunities for data leaks by removing unnecessary mechanisms and ensuring that only authorized processes and accesses are in place.

  • Why is it important to document compliance with GDPR?

    -Documenting compliance with GDPR is important for demonstrating to regulators and affected individuals that an organization is adhering to the regulation's requirements and protecting personal data as mandated.

Outlines

00:00

🔒 Data Mapping and GDPR Compliance Challenges

Grant Fritchie from Reggae Software discusses the complexities of GDPR compliance, emphasizing the importance of understanding and mapping an organization's data. He highlights the need to classify data according to GDPR requirements to ensure appropriate protection levels. Grant points out that a significant number of data breaches are due to employee error or negligence, which underscores the necessity for proper data management. He advises on the steps to take for compliance, including finding and storing data, classifying it, reducing the attack surface area, and managing data according to GDPR regulations. The right to be forgotten is mentioned as a key aspect of compliance, which requires knowing the location and form of all data. Grant stresses the importance of automation in data management to maintain control and compliance.

05:01

🛠️ Automation in Data Management

The second paragraph, although brief, seems to be a continuation of the previous discussion on the importance of automation in data management. It suggests that without automation, it is challenging to maintain control over data flow between production and non-production environments. This could be a reference to the need for automated processes to ensure data integrity and security, which is a critical component of GDPR compliance.

Mindmap

Keywords

💡GDPR

GDPR stands for General Data Protection Regulation, which is a regulation in EU law that focuses on data protection and privacy for all individuals within the European Union. It is central to the video's theme as it discusses the challenges of mapping and protecting data under GDPR, ensuring compliance with its regulations to avoid data breaches and penalties.

💡Data Mapping

Data mapping refers to the process of identifying, documenting, and categorizing an organization's data to understand where it is stored and how it is used. In the context of the video, data mapping is crucial for GDPR compliance, as it helps organizations understand their data landscape to classify and protect data appropriately.

💡Data Classification

Data classification is the process of categorizing data based on its sensitivity and the level of protection it requires. The video emphasizes the importance of classifying data under GDPR to determine which data needs to be protected and to what extent, as different types of data have different levels of protection requirements.

💡Data Breach

A data breach occurs when unauthorized individuals gain access to sensitive information. The video script mentions that a significant percentage of data breaches are caused by employee error and negligence, highlighting the importance of proper data management and GDPR compliance to prevent such incidents.

💡Employee Error

Employee error refers to mistakes made by staff that can lead to data being mishandled or misplaced. The script cites statistics showing that a considerable number of data breaches are caused by employee errors, underscoring the need for training and strict data handling protocols to minimize risks.

💡Employee Negligence

Employee negligence is the failure of an employee to exercise the care expected in their role, which can result in data being exposed or mishandled. The video script points out that negligence is a common cause of data breaches, indicating the need for vigilance and adherence to data protection policies.

💡Insider Theft

Insider theft is the unauthorized use or theft of information by someone within an organization who has legitimate access to it. The video script includes insider theft as one of the causes of data breaches, emphasizing the importance of internal controls and monitoring to safeguard data.

💡Right to be Forgotten

The right to be forgotten is a concept under GDPR that allows individuals to request the deletion of their personal data from a company's records when it is no longer needed. The video explains that knowing where data is stored is essential to comply with this right, as it is impossible to delete data if its location is unknown.

💡Data Management

Data management involves overseeing the lifecycle of data within an organization, including how it is collected, stored, and processed. The video stresses the importance of automating data management processes to maintain control over data, ensure GDPR compliance, and prevent unauthorized access or breaches.

💡Automation

Automation refers to the use of technology to perform tasks without human intervention. In the video, automation is presented as a solution for managing data effectively, ensuring that data flows and storage are controlled and monitored, which is essential for GDPR compliance and preventing data breaches.

💡Compliance

Compliance in the context of the video means adhering to the rules and regulations set forth by GDPR. The script discusses the various steps organizations must take to achieve compliance, such as mapping and classifying data, reducing attack surfaces, and managing data responsibly.

Highlights

Challenges in GDPR compliance include mapping and understanding the data an organization possesses.

Data classification under GDPR is crucial to determine the level of protection required for different types of data.

Employee error and negligence are significant causes of data breaches, highlighting the importance of proper data handling.

The 'right to be forgotten' under GDPR necessitates knowing the location and existence of all stored data for compliance.

Data mapping is essential for GDPR compliance, involving tracking every bit of data and its storage mechanisms.

Data classification involves identifying which data is private and should not be shared, requiring controls to be put in place.

Reducing the attack surface area is key to preventing accidental data leaks or distribution.

Data management must be in compliance with GDPR, including proper documentation and adherence to regulations.

Automation is vital for controlling data management processes and ensuring GDPR compliance.

Manual processes for data movement can lead to non-compliance if the organization lacks visibility into data flow.

Knowledge of the database is fundamental to meeting all GDPR requirements, starting with understanding what data is held and where.

The importance of mapping all data as the first step towards GDPR compliance is emphasized.

The speaker, Grant Fritchie, identifies himself and his affiliation with Reggae Software, providing credibility to the discussion.

Data breaches statistics are provided to underscore the risks of improper data handling and the need for GDPR adherence.

The consequences of not knowing where data is stored and how it is processed are explained in the context of GDPR compliance.

The necessity of having mechanisms in place to control, document, and support data in compliance with GDPR is discussed.

Transcripts

play00:00

hello my name is grant Fritchie I work

play00:02

for reggae software so one of the

play00:05

challenges in the GDP are frankly is

play00:08

mapping your data of knowing what data

play00:12

you have and where it lives you know

play00:15

across your entire state and frankly

play00:18

what kind of data is it because you have

play00:22

to classify the data within gdpr and and

play00:24

know which data has to be protected in

play00:27

what way because different data has

play00:29

different levels of protection and

play00:31

unavoidable here you have to figure that

play00:33

out so you're gonna have to walk through

play00:36

every single bit of data you have and

play00:39

it's on it's in your best interest to do

play00:42

this because if you go to some place

play00:45

like the Theft Resource Center and look

play00:49

at some of the data breaches 10% of the

play00:52

breaches were caused by employee error

play00:55

and 7% of the breaches were caused by

play00:57

employee negligence and only about 5%

play01:01

were actually caused by you know our and

play01:03

follow I'm sorry and 5% were caused by

play01:05

insider theft that's a lot of

play01:08

information that is accessible to people

play01:11

who probably shouldn't be having it yeah

play01:16

I'm granted some you know if it's

play01:17

straight-up theft it could come from

play01:19

somebody who's supposed to have it but

play01:21

negligence means that somebody just

play01:23

messed up and moved data where it wasn't

play01:26

supposed to be and you know accidental

play01:29

exposure means somebody messed up and

play01:32

move data where it wasn't supposed to be

play01:34

you know it's it's down to the making

play01:38

that control making that mapping and

play01:40

understanding exactly which data you

play01:43

have and exactly where that data lives

play01:45

that you have to arrive at in order to

play01:48

make compliance with the GDP are

play01:50

possible just taking the right to be

play01:53

forgotten if you don't know where that

play01:55

your data is you can't comply with the

play01:59

right to be forgotten and you will in

play02:00

fact run into issues so what do you have

play02:03

to do you really are gonna have to take

play02:05

the approach of first you've got to find

play02:08

all your data where where are we storing

play02:10

it which databases do we have in

play02:12

which servers are they on do we have it

play02:14

in other places a sure AWS do we have it

play02:18

you know hosted someplace do we have

play02:20

off-site backups do we you know where

play02:22

where is every bit of this data and in

play02:25

what form is it in is it in Excel is it

play02:27

in SharePoint is it in some other you

play02:30

know storage mechanism we've got to go

play02:32

we've got to track everything damn yay

play02:37

step 2 you've got to classify the data

play02:40

you've got to figure out which data is

play02:42

under control of the GD P R which data

play02:44

is private data should not be shared and

play02:47

then you have to put controls around

play02:49

that step three is reduce your attack

play02:51

surface area you have to remove chances

play02:56

for people to leak the data by accident

play02:59

remove chances for people to you know to

play03:02

distribute it simply take away

play03:05

mechanisms that are not in keeping with

play03:08

your overall use of the data as defined

play03:12

through the GD P R to your clients and

play03:16

and members and everyone whose data

play03:18

you're managing and then finally you've

play03:21

got to manage the data you've got to

play03:23

take it under control

play03:24

and and do things with it that are in

play03:29

compliance with the GD P R and feed

play03:31

compliance with GD P R and document

play03:33

combines to the GD P R and you've got to

play03:35

do all these things which is why one of

play03:39

the most important things you can start

play03:40

doing is automating you really have got

play03:44

to get your data management under

play03:46

control through an automation process if

play03:49

you are not currently you know

play03:52

automating the mechanisms through which

play03:54

data gets out of your production

play03:56

environments to non production

play03:57

environments announce the time if you

play04:00

don't know exactly where data is going

play04:02

because there are manual processes being

play04:04

occurring you know and and you know

play04:07

Stefan over there is is moving data

play04:10

around and you don't know about it

play04:12

you've got to get that under control

play04:13

right there there's no way that you can

play04:17

be compliant with the GD P R and not

play04:20

know where your data is how it's being

play04:23

used how it's being processed

play04:25

and where it is so you can be compliant

play04:30

with you know I know where the state is

play04:31

I know how it works I can remove it as

play04:34

needed I can support it

play04:36

I know it's online if it goes offline I

play04:39

can get it back online right all of the

play04:41

requirements of the gdpr

play04:43

are all driven off of knowledge of your

play04:48

database first and foremost you must

play04:51

know what data you have and where that

play04:53

data lives so you've got to map all of

play04:56

your data that has to occur step 1 my

play05:00

name is grant Fritsche I work for rebbe

play05:02

a software

Browse More Related Video

Data Inventories and Data Maps: The Cornerstone to GDPR Compliance

GDPR Compliance Journey - 16 Training

GDPR Compliance Journey - 06 Data Protection Impact Assessment

GDPR Compliance Journey - 03 Data Mapping

GDPR Compliance Journey - 09 Retention

GDPR Compliance Journey - 14 Process Documentation

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
Data MappingGDPR ComplianceData ProtectionEmployee ErrorData BreachData ManagementAutomationData PrivacyRegulatory ComplianceInformation Security