GDPR and Data Mapping
Summary
TLDRGrant Fritchie from Reggae Software discusses the challenges of GDPR compliance, emphasizing the importance of data mapping and understanding the types of data an organization holds. He highlights the risks of data breaches caused by employee error and negligence, and stresses the necessity of classifying data, reducing the attack surface area, and managing data in compliance with GDPR. Fritchie advocates for automating data management processes to maintain control and ensure GDPR compliance.
Takeaways
- 📚 The primary challenge in GDPR compliance is understanding and mapping all the data an organization holds, and knowing where it resides.
- 🔍 It's crucial to classify data under GDPR to determine the level of protection required for different types of data.
- 🚨 A significant portion of data breaches are due to employee error and negligence, highlighting the importance of proper data handling.
- 🔑 The 'right to be forgotten' under GDPR necessitates knowing where all data is stored to ensure it can be deleted upon request.
- 🔍 Step 1 involves finding all data storage locations, including databases, servers, and cloud services like AWS.
- 📋 Step 2 is about classifying the data to understand which data is private and should not be shared, and implementing controls accordingly.
- 🛡️ Step 3 focuses on reducing the attack surface area by removing unnecessary mechanisms that could lead to accidental data leaks.
- 💾 Step 4 is about managing the data in compliance with GDPR, which includes documenting and adhering to the regulations.
- 🤖 Automation is key to managing data effectively, ensuring that data movement between environments is controlled and traceable.
- 🚫 Manual processes can lead to data being moved without proper oversight, which is a risk for GDPR compliance.
- 📈 Knowledge of the data and its location is fundamental to meeting all GDPR requirements, including the ability to remove data as needed.
Q & A
What is the primary challenge mentioned in the script regarding GDPR compliance?
-The primary challenge is mapping and understanding the data an organization has, knowing where it resides, and classifying it according to GDPR requirements for appropriate protection levels.
What percentage of data breaches were caused by employee error according to the script?
-10% of data breaches were caused by employee error.
What percentage of data breaches were due to employee negligence as mentioned in the script?
-7% of data breaches were due to employee negligence.
What does the 'right to be forgotten' under GDPR entail?
-The 'right to be forgotten' requires organizations to know where all personal data is stored so that it can be removed upon request, demonstrating compliance with GDPR.
Why is it crucial to know where data is stored in the context of GDPR compliance?
-Knowing where data is stored is crucial for GDPR compliance because it enables organizations to protect data appropriately, manage it effectively, and fulfill requests like the 'right to be forgotten'.
What is the importance of classifying data under GDPR?
-Classifying data is important to determine which data is private and should not be shared, and to implement the necessary controls to protect it as required by GDPR.
What is the suggested approach for managing data to ensure GDPR compliance?
-The suggested approach includes finding all data, classifying it, reducing the attack surface area, and managing the data in compliance with GDPR, including automating data management processes.
What is the role of automation in achieving GDPR compliance according to the script?
-Automation is critical for getting data management under control, ensuring that data does not get moved or processed inappropriately, and maintaining compliance with GDPR requirements.
What are some of the consequences of not managing data properly as per GDPR?
-Consequences include potential data breaches, non-compliance with GDPR regulations, and the inability to fulfill requests like the 'right to be forgotten'.
What does reducing the attack surface area mean in the context of data protection?
-Reducing the attack surface area means minimizing the opportunities for data leaks by removing unnecessary mechanisms and ensuring that only authorized processes and accesses are in place.
Why is it important to document compliance with GDPR?
-Documenting compliance with GDPR is important for demonstrating to regulators and affected individuals that an organization is adhering to the regulation's requirements and protecting personal data as mandated.
Outlines
🔒 Data Mapping and GDPR Compliance Challenges
Grant Fritchie from Reggae Software discusses the complexities of GDPR compliance, emphasizing the importance of understanding and mapping an organization's data. He highlights the need to classify data according to GDPR requirements to ensure appropriate protection levels. Grant points out that a significant number of data breaches are due to employee error or negligence, which underscores the necessity for proper data management. He advises on the steps to take for compliance, including finding and storing data, classifying it, reducing the attack surface area, and managing data according to GDPR regulations. The right to be forgotten is mentioned as a key aspect of compliance, which requires knowing the location and form of all data. Grant stresses the importance of automation in data management to maintain control and compliance.
🛠️ Automation in Data Management
The second paragraph, although brief, seems to be a continuation of the previous discussion on the importance of automation in data management. It suggests that without automation, it is challenging to maintain control over data flow between production and non-production environments. This could be a reference to the need for automated processes to ensure data integrity and security, which is a critical component of GDPR compliance.
Mindmap
Keywords
💡GDPR
💡Data Mapping
💡Data Classification
💡Data Breach
💡Employee Error
💡Employee Negligence
💡Insider Theft
💡Right to be Forgotten
💡Data Management
💡Automation
💡Compliance
Highlights
Challenges in GDPR compliance include mapping and understanding the data an organization possesses.
Data classification under GDPR is crucial to determine the level of protection required for different types of data.
Employee error and negligence are significant causes of data breaches, highlighting the importance of proper data handling.
The 'right to be forgotten' under GDPR necessitates knowing the location and existence of all stored data for compliance.
Data mapping is essential for GDPR compliance, involving tracking every bit of data and its storage mechanisms.
Data classification involves identifying which data is private and should not be shared, requiring controls to be put in place.
Reducing the attack surface area is key to preventing accidental data leaks or distribution.
Data management must be in compliance with GDPR, including proper documentation and adherence to regulations.
Automation is vital for controlling data management processes and ensuring GDPR compliance.
Manual processes for data movement can lead to non-compliance if the organization lacks visibility into data flow.
Knowledge of the database is fundamental to meeting all GDPR requirements, starting with understanding what data is held and where.
The importance of mapping all data as the first step towards GDPR compliance is emphasized.
The speaker, Grant Fritchie, identifies himself and his affiliation with Reggae Software, providing credibility to the discussion.
Data breaches statistics are provided to underscore the risks of improper data handling and the need for GDPR adherence.
The consequences of not knowing where data is stored and how it is processed are explained in the context of GDPR compliance.
The necessity of having mechanisms in place to control, document, and support data in compliance with GDPR is discussed.
Transcripts
hello my name is grant Fritchie I work
for reggae software so one of the
challenges in the GDP are frankly is
mapping your data of knowing what data
you have and where it lives you know
across your entire state and frankly
what kind of data is it because you have
to classify the data within gdpr and and
know which data has to be protected in
what way because different data has
different levels of protection and
unavoidable here you have to figure that
out so you're gonna have to walk through
every single bit of data you have and
it's on it's in your best interest to do
this because if you go to some place
like the Theft Resource Center and look
at some of the data breaches 10% of the
breaches were caused by employee error
and 7% of the breaches were caused by
employee negligence and only about 5%
were actually caused by you know our and
follow I'm sorry and 5% were caused by
insider theft that's a lot of
information that is accessible to people
who probably shouldn't be having it yeah
I'm granted some you know if it's
straight-up theft it could come from
somebody who's supposed to have it but
negligence means that somebody just
messed up and moved data where it wasn't
supposed to be and you know accidental
exposure means somebody messed up and
move data where it wasn't supposed to be
you know it's it's down to the making
that control making that mapping and
understanding exactly which data you
have and exactly where that data lives
that you have to arrive at in order to
make compliance with the GDP are
possible just taking the right to be
forgotten if you don't know where that
your data is you can't comply with the
right to be forgotten and you will in
fact run into issues so what do you have
to do you really are gonna have to take
the approach of first you've got to find
all your data where where are we storing
it which databases do we have in
which servers are they on do we have it
in other places a sure AWS do we have it
you know hosted someplace do we have
off-site backups do we you know where
where is every bit of this data and in
what form is it in is it in Excel is it
in SharePoint is it in some other you
know storage mechanism we've got to go
we've got to track everything damn yay
step 2 you've got to classify the data
you've got to figure out which data is
under control of the GD P R which data
is private data should not be shared and
then you have to put controls around
that step three is reduce your attack
surface area you have to remove chances
for people to leak the data by accident
remove chances for people to you know to
distribute it simply take away
mechanisms that are not in keeping with
your overall use of the data as defined
through the GD P R to your clients and
and members and everyone whose data
you're managing and then finally you've
got to manage the data you've got to
take it under control
and and do things with it that are in
compliance with the GD P R and feed
compliance with GD P R and document
combines to the GD P R and you've got to
do all these things which is why one of
the most important things you can start
doing is automating you really have got
to get your data management under
control through an automation process if
you are not currently you know
automating the mechanisms through which
data gets out of your production
environments to non production
environments announce the time if you
don't know exactly where data is going
because there are manual processes being
occurring you know and and you know
Stefan over there is is moving data
around and you don't know about it
you've got to get that under control
right there there's no way that you can
be compliant with the GD P R and not
know where your data is how it's being
used how it's being processed
and where it is so you can be compliant
with you know I know where the state is
I know how it works I can remove it as
needed I can support it
I know it's online if it goes offline I
can get it back online right all of the
requirements of the gdpr
are all driven off of knowledge of your
database first and foremost you must
know what data you have and where that
data lives so you've got to map all of
your data that has to occur step 1 my
name is grant Fritsche I work for rebbe
a software
Browse More Related Video
5.0 / 5 (0 votes)