logo.png
GET GDPR READY

Foregenix Blog

Richard Jones

Data Discovery: The only place to start with GDPR

GDPR

,31/10/17 10:27

To those new to GDPR, it may appear like a complex task for which there are so many actions it’s almost impossible to know where to start. I would wager that GDPR has, or will, seem like this to those who are in the process of preparing themselves for its arrival next May.

There is no shortage of useful content regarding what it is and there are many who will advise on how to tackle the challenge that lay ahead.

That said, one can never plan the route to a destination without knowing where you are starting from. The real challenge is getting to a point where you know what Personally Identifiable Information (PII) you have, that it has been legitimately acquired, is essential to your business and can be managed in accordance with GDPR. With research suggesting that for many, up to 85% of retained PII would violate GDPR in some way shape or form.

Embarking on the finer points of GDPR without a comprehensive data audit will almost certainly prove a futile and costly exercise. With up to 35% of PII being classified as redundant, obsolete or trivial (ROT) and 50% as Dark Data (that which can no longer be legitimately used). There is a huge opportunity to refine the scope of a GDPR project by simply locating and then clearing out all the junk. In other words, shifting the PII that has gone from being a potential asset to a real liability.   

As a leading specialist in the field of PCI DSS, Foregenix work on the premise that efficient and cost-effective compliance comes by minimising what’s within scope for an audit. Don’t store what you are not allowed to store, protect what needs to be retained for doing business and get rid of anything else. That said, payment data has always had a habit of cropping up in unexpected places. Unexpected to the owner that is. Would be attackers have come to recognise where monetizable payment data ‘hangs out’ and as such these ‘back waters’ become prime targets.

Having spent many years tracking down payment card data using its own product called FScout, Foregenix has recently partnered with Ground Labs. Ground Labs are a leading provider of sensitive data discovery technology that will hunt out all manner of PII.

With over 200 international data formats from over 50 countries and the option to create custom searches, Ground Lab’s Enterprise Recon should be the starting point for any GDPR project. Knowing what data exists and where it resides can make interesting reading, especially when compared to the way data is intended to flow around an organisation.

The ubiquity of PCI DSS makes it a great point of reference where GDPR compliance projects are concerned. GDPR will no doubt permeate more deeply into a business than PCI DSS, extending into the whole field of privacy and the legal ramifications. However, without a detailed audit of the PII around which your organisation revolves – it will more than likely become a task that seems more complex than it really is!  

Guided Website Threat Review

Tags: GDPR

TRENDING POSTS

Kirsty Trainer
"Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More
Duncan Slater
Alert: Major UK Payment Service Provider iFrame Man-In-The-Middle Breach

The Foregenix Digital Forensics and Incident Response Team recently reported a man-in-the-middle ...

Read More

Cyber Security Insights

Richard Jones
17/11/17 09:39

Successfully implementing GDPR: Compliance and Awareness

The General Data Protection Requirement (GDPR) is essentially about privacy. It relies on cyber security controls to ensure that legitimately used ...

Read More

Richard Jones
02/11/17 10:33

GDPR – Keeping things simple.

  Type GDPR into Google and you will get just shy of 6 million results. Factor in the complexity of each and every article and it’s easy to see why ...

Read More

Richard Jones
31/10/17 10:27

Data Discovery: The only place to start with GDPR

To those new to GDPR, it may appear like a complex task for which there are so many actions it’s almost impossible to know where to start. I would ...

Read More

Kirsty Trainer
26/10/17 15:02

Improving Cybersecurity in the Contact Center: How to Reduce the Risk of a Breach  [Webinar]

  The negative impact of a data breach has wide reaching consequences, it’s not something that can be solved with a “Sorry” and a slap on the wrist. ...

Read More

Richard Jones
25/10/17 16:52

Five reasons why GDPR isn’t all about fines.

  Most conversations about GDPR gravitate towards the subject of fines. There are two camps; those who contend they’re a hollow threat and those who ...

Read More