Earlier this month, Wonga admitted to suffering a data breach that exposed personal data belonging to 270,000 of its customers.
You may have missed the news; breaches of this nature have become so common they hardly make the headlines. But with the General Data Protection Regulation (GDPR) a year away, will they soon be a thing of the past?
To answer this question we need to consider the current rules of engagement between businesses and the hackers that target personal data. The typical attack is akin to a siege, where the hacker bombards an organisation’s defences in an effort to reach valuable data. The strength of the business’s defences depends entirely on the resilience of its security perimeter. If they are breached, the siege is over and sensitive data is immediately exposed and vulnerable.
The GDPR complicates matters for hackers. It requires organisations to encrypt all personal data and encourages Data Privacy Officers (DPOs) to apply techniques such as pseudonymisation and tokenisation to protect the privacy of data subjects.
This means that even if a hacker successfully storms the gates and loots the coffers, as in the case of Wonga, they will be left with encrypted data, which cannot be read, or meaningless strings of code, which have no value.
This is clearly great news for businesses. Even if the current trend of breaches continues, their impact will be diminished. However, complying with the GDPR also presents significant challenges. Businesses must locate all of the personal data they hold, assess its risk profile and then obfuscate what’s vulnerable. This is an incredibly complex and time-consuming undertaking. The process of locating and identifying personal data alone requires a laborious manual process.
To meet this challenge, businesses must gain a much greater understanding of the personal data they hold. They need to identify the people, platforms, and processes that touch their personal data and pinpoint where it physically resides. They also need to understand the relationship between these systems, individuals and locations. For example, if an employee transfers to a different office, what will happen to their data? Will the move heighten risk for both the individual and the business?
We’ve developed a data visualisation tool to help businesses answer these questions. It’s called the Business Lens and it allows users to dynamically map personal data to gain a holistic view of compliance challenges. Specific security techniques can then be applied through the Lens to protect data that’s at risk.
The Lens is designed to be the starting point for business leaders grappling with GDPR obligations and it can help you adapt existing processes without disrupting business as usual.
Written by Ian Bryant, Chief Operations Officer
To see the solution in action: