In the rapidly-evolving landscape of data privacy and security laws and regulations, organizations need to know how and where their data is being stored. The best approach is for companies to implement "data mapping" -- an exercise that identifies the apps and services that interact with personal data about a company's employees, customers, and partners.
In the European Union, what many consider a landmark regulation -- the General Data Protection Regulation (GDPR) -- has been passed and will be enforced starting May 25, 2018. The GDPR is a comprehensive update to the existing European data protection regulations. Since it applies to personal data of EU individuals and the transfer of that personal data outside of the EU, almost every company will need to comply with the GDPR.
Recently, a survey revealed that 87 percent of CIOs are concerned that their company's current security policies are insufficient to comply with the GDPR. As a result, over 73 percent are looking for ways to tighten those policies; to secure the data shared or stored in the apps their employees and customers use every day. Among Okta customers, more than half of the apps people use at work aren't provided by IT, which suggests that security teams across all industries have serious work to do. But data mapping can make that process easier.
By identifying the apps that access personal data and the frequency by which those apps are used at a company, data mapping helps reveal potential weak spots in a company's security measures. When mapping a company's personal data, security teams can use these three tips:
1) Align with new regulation
The GDPR requires every company storing personal data of EU individuals to be able to promptly provide copies of that data, or correct or delete data upon request. What's more, companies subject to the GDPR will need to keep detailed, updated records of the ways they store, use, and share personal data with other apps and services.
On paper, these may seem like straightforward requirements. But in practice, it could be a massive effort for a company to comply -- and meeting those demands means ensuring customers' and employees' personal data is accounted for, safe, and secure. For employees, it all starts with mapping out where their personal data has traveled since their hire date. Which apps house employee names, email addresses, and phone numbers? Do those apps store copies of that data, and do they delete it after it's no longer needed? Under the GDPR, companies will be responsible for answering each of these questions.
It's serious business, too. Seventy-seven percent of U.S. companies plan to allocate more than 889,000 euros (~$1 million USD) or more on their GDPR readiness plans. The penalties for failure to comply are equally serious: EU data protection authorities can assess fines of up to 20 million euros (~$22.5 million USD), or 4 percent of annual revenue -- whichever is higher. Clearly, the costs of meeting the GDPR's requirements will be significantly less than the costs of fines and the resulting damages to the trust and goodwill that a company has earned with its employees and customers.
2) Maximize the benefits of data mapping
No matter the size of your company or industry you're working in, all organizations can benefit from mapping employee data. By mapping where your employees' and customers' personal data goes, you're protecting your people -- people who entrust you to secure their information.
For example, if you work for a large enterprise, mapping personal data can spark questions about how third-party apps interact with your company's personal data, and can surface security concerns for deeper review and analysis. Additionally, since employee and customer data is rarely managed by just one department, mapping this data can get HR and IT teams on the same page, building a strong foundation for future collaboration.
On the other hand, if you're working for a startup where each team member wears many hats, building a data mapping strategy into your plan will work in your favor down the road. As you scale up, and as your infrastructure relies on an increasing number of third-party apps and services, you'll be pre-positioned to expand on the plan that outlines your vision for the way each new service should interact with your company's personal data.
3) Implement a long-term plan
Even though the GDPR is an EU regulation (and the U.S. doesn't currently have a federal law that regulates personal data in the same ways), the U.S. also has a patchwork of state privacy laws that are evolving with advances in technology. Other countries around the world have their own data privacy regulations, too.
How can you stay on top of it all? You guessed it: data mapping. After you've mapped where your company's personal data travels, you can dive deeper by identifying which apps can access personal data. Your organization should then ensure that those app providers will be able to update, retrieve, and delete that data upon request. Following each of those steps will help prepare your company for a changing future landscape of data security requirements.
There are a lot of questions about the future of security -- but building a personal data mapping plan will establish a bedrock foundation for whatever comes next. By following these steps, you'll ensure the personal data about your customers is properly accounted for. And your employees will be able to connect to the apps of their choice, knowing their company has a plan in place that protects not only their personal information, but their entire online identity.