tiero - Fotolia
GDPR compliance and storage in digital transformation projects
Key considerations when transforming physical data into digital, the impacts on compliance and how to ensure access, encryption to data and safe disposal of physical assets
Digitisation is a key project for many IT organisations that will open up new possibilities for the business.
But the digital transformation of physical data creates lots of new data, often unstructured and possibly fragmented, around the organisation. And so the question arises: how do you make it compliant?
In this podcast, Mathieu Gorge, CEO of Vigitrust, talks about the key compliance impacts on digital transformation projects, with reference to frameworks such as the General Data Protection Regulation (GDPR) and how to deal with access and encryption of newly digitised assets as well as disposal of physical data.
Antony Adshead: Why is storage and compliance important in digital transformation projects?
Mathieu Gorge: Well, today a lot of organisations are trying to reach more clients on an ongoing basis by going more digital, and by doing so, they essentially expand the way they collect data and manage and store it.
So, let’s imagine that you have a lot of physical data and you want to be more present on the internet, you want to be on social media, have an e-commerce site, have different extranets, links to partners, and so on – stuff that you can’t really do with only physical data.
What you need to do is digitise that data, which typically involves scanning the data into some sorts of digital formats. So you end up with a digital version of the same data, but in doing so, you are actually creating a lot of new data.
You don’t only create one digital copy of the original paper-based data, but you also create a lot of unstructured data around those files – data that is related to the copy of the original documents, but essentially ends up being fragmented and copied in many different places in your network.
So, one of the key issues there is: where does that data go, where do you store it, and can you do it in a compliant way?
Now, if you look at key security frameworks and regulations, say PCI, HIPAA or ISO 27000, they all have a physical security element to them. They ask you to have a strategy for dealing with physical data, physical security, access to physical data and to put controls around that.
If you look at the GDPR, it is now asking you to put appropriate security measures to protect the data, whether in physical or logical format.
In the move from physical to logical, you essentially double up and one of the key questions is: how do I manage all that new data? And what do I do with all the legacy data in order to remain in compliance when I keep that data?
Read more on storage and compliance
- Printers, scanners and mobile devices that capture data from documents all store data in some way or other. How can you be sure to be compliant with GDPR with regard to that data?
- GDPR and backup: The right to be forgotten will be impossible in backups and snapshots, but systems can be built that automate for compliance.
Adshead: How do you ensure compliance in storage in digital transformation projects?
Gorge: So, let’s take the easy path first – to secure these frameworks and controls around the new amount of data that you have that is digital data, as part of your new digital front window, so to speak.
When you get new data, you can obviously secure the data by encrypting it. First of all, you map it out, you try to understand where you’re going to store it, who is going to have access to what, are you going to back it up, are you going to monitor access, are you going to have logs that demonstrate you can manage and reproduce the lifecycle of that new data.
And then, as I said earlier, you need to look at all the new unstructured data that is inherently created by that digital transformation process. That is very important, but it is easy to follow guidelines from regulations in order to do that, or even to refer back to something like ISO 27000 to do so.
One of the areas that is often forgotten about is the idea of disposing of the physical data securely. First of all, you may or may not wish to dispose of that data. You may want or need to keep it for your purposes, and if so, you still need to keep it securely. Now is a good time to view your strategy to do so.
If, on the other hand, you need to dispose of it, you need to do so in a way that allows you to demonstrate that it has been destroyed, maybe using a company that provides a certificate showing that the data has been securely destroyed and is no longer in your possession.
Remember that the key challenge here is to demonstrate that you are either storing it in a compliant manner or you have disposed of it in a compliant manner. Unfortunately, this is not always part of a digital transformation strategy.
So, what we recommend at Vigitrust is ensure that you understand the challenges with digital transformation, but also the convergence between physical and logical storage and compliance, because that should really be part of the DNA of your overall security strategy.