GDPR: end user data loss prevention

It should be clear by now that there is no such thing as absolute GDPR compliance. But there are several steps that can be taken that will ensure that you don’t fall foul of the GDPR and technology has a critical role to play.

Without a technical solution for monitoring the collection, processing and storage of personal data, enterprises run the risk of falling foul of the strict new regulation when it is introduced in May 2018.  And it’s not enough to just monitor, you need to protect and educate your end user at the same time.

While the text of the GDPR itself does not state that a technical solution is required, it is up to each enterprise to decide what is best for their needs.  One thing is sure though, it is not going to cut any ice with the regulator if you point to policy when there are affordable technical solutions available. That said there are a plethora of differing solutions on the market currently and most them do not offer any real time protection for your data; pure analytics and ‘after the horse has bolted’ type solutions are, to be frank, useless.

In terms of affordable technology, data discovery, classification and data loss prevention (DLP) software would seem to be the most obvious place to start for most.

The significant rise in high profile data breaches over the past few years has led to a resurgence in demand for DLP solutions; currently the DLP market is worth £800m and this is rising rapidly at a rate of between 16%-22% per annum according to recent reports. 

Traditionally it was only large enterprises that could afford the vast fees, ongoing management and analyst resources required to manage the beast that was DLP. 

But with elegantly simple affordable DLP solutions ever more available the days of the vast on premises appliance-based DLP beast are numbered.

With the GDPR, data protection will no longer be the preserve of the IT department or the chief information officer, it will be a whole-enterprise responsibility and with prices per user now pennies per month via SaaS based solutions the market is set for a huge rise as the larger SMEs gear up.

Current DLP solutions are often heavyweight affairs that are costly, require their own servers and rarely allow for working practices such as bring your own device, or if they do it is via a proxy server, which means built in latency for users – a significant bugbear.

As CEO and Scrum Certified Product Owner of a DLP technology company, I can say with confidence, next generation DLP solutions are being driven both by new data protection regulatory requirements, such as the GDPR, AND the need for better enterprise application/endpoint/cloud protection with interaction opportunities for end users; as opposed to the ‘phone home’, appliance driven, IT security department managed solutions currently offered by most of the incumbent DLP solution providers.

The GDPR requires you to know where your data is located and to have tools in place to safeguard it.

But it won’t be enough to have a DLP solution that does just data discovery and protection, you will need content level protection that not only recognises key words and phrases in content, but also unstructured data across a wide range of enterprise applications – whether cloud-based, on premise or on endpoint – especially with the prevalence of home/remote working.

Next generation DLP now has the ability to automatically classify and track data, restrict who has access to it and intervene in real time if it is sent to the wrong person; all the time reporting back to data owners, end users and security analysts.

Next generation solutions must be simple to deploy and simple to use; out of the box.

Crucially, if we are to dispense with the blame culture, all next generation DLP solutions must have the ability to bring the end user into the equation; some already do but they are few and far between. 

Currently DLP iplementations often make end users feel like Big Brother is watching. We need a paradigm shift in how end users perceive DLP; rather than being a system that will penalise them for making (often honest) mistakes, DLP should be a helping hand that will assist them in their day-to-day jobs – protecting not only the enterprise but individual end users too.

The blame culture that penalises end users who make honest mistakes during their work when it comes to data must end; employees must not face the prospect of the sack for making honest mistakes when systems can be put in place to stop it happening in the first place. 

Today’s businesses have a duty to ensure that an employee has the correct training and tools to assist them when dealing with sensitive information. I can confidently predict a raft of court cases and tribunals in the coming years where employees sue employers for not protecting them in their roles.

Instead of feeling fearful, your employees should feel empowered to play a role in your data protection procedures. End users are the key to the data protection eco-system working hand-in-hand with the CIO and IT department to ensure your enterprise is GDPR ready. 

This is not a ‘would like’ but rather a ‘must have’. Those enterprises who take up the GDPR mantle and empower their employees with next generation DLP will undoubtedly be the same enterprises that gain significant competitive advantage with the ensuing business process management and digital transformation.