Ever since companies started using modern computing systems to store customer data, they have assumed data stored on their servers was ‘theirs,’ somewhat reasonably, since it was on computers they owned… that’s not quite true.
by: Aaron Turner (Hotshot Technologies)
photo: Anna Katina
Google and Facebook built billion-dollar businesses on a model that assumed data belonged to the company that owned the servers. However, new privacy and data protection regulations have changed the playing field. These protection regulations, such as the EU’s GDPR, fundamentally disrupt the data ownership model of the past.
With today’s legal and regulatory ecosystem in mind, here are 10 things businesses need to address now to successfully operate in a post-GDPR business environment:
1. The data on companies’ servers is not really theirs anymore. Businesses should consider that any data that can be used to identify an individual residing in the EU is not theirs, legally or morally.
2. Getting consent from customers through clear, acceptable data use policies can help businesses do more with the data they do have, but there has to be clear and revocable consent processes.
3. Companies are now responsible for protecting data regardless of which network it is being sent over or who owns the device it is stored on.
4. Letting employees store customer data on their personal mobile devices without appropriate data controls is a recipe for GDPR disaster.
5. Allowing employees to access data over compromised or monitored networks creates significant liabilities for companies.
6. Customer data that is retained for compliance purposes must be encrypted at rest, yet searchable to assure that the data can be deleted to comply with GDPR requirements, such as the “right to be forgotten.”
7. How data is transported (either physically or logically) across borders is now a key aspect of compliance requirements.
8. Companies are now required to use data protection technologies that have provable security controls wherever and whenever possible.
9. Businesses are now responsible for the protection of data through the entire business process, and regardless of how many different companies are involved, business partners are now required to be accountable for data protections on an end-to-end business process basis.
10. All access to customer data must be traceable and auditable on the same end-to-end business process basis, which includes the use of traditional email and/or shadow-IT (Whatsapp, Signal, etc.), as a business communications tool puts companies at risk of not meeting data handling requirements.