[MUSIC PLAYING] Hello, and welcome to CBR TV. My name is Jon Bernstein. I'm delighted to be joined today by Colin Truran who is principal technology strategist at Quest. Colin, great to have you here. Let's talk GDPR, general data protection regulations. We're less than a year away. For the viewers watching out there, how should they assess their readiness?
It's quite a complex thing that they're going to have to come into. So the first thing they need to do is actually appoint someone in charge, a data protection officer. They can either appoint one, or they need to hire one via an agency, if they're a small organization. They need to coordinate and delegate what they're going to do. But they really need to go through an assessment to understand where they are and where they need to get to and do a gap analysis.
So let's drill down into one of the specifics, which is personally identifiable information. What changes, what does the GDPR introduce that doesn't exist already?
So we've had issues with this before with regards to PCI, for example. But the big difference here is it's an extremely wide ranging amount of data that is considered PII. So organizations are faced with the challenge of identifying where that information is and then how to control it. They're also going to have to understand who has access to it. They have a duty of care with that information, and they need to respect the life cycle of that information and how it was given to them. And also, they need to make sure that they can adhere to the new and broader rules and regulations that users have. And consumer rights are a big challenge for organizations.
So duty of care is a question of keeping that data safe. How do they go about doing that?
Well, they need to identify where it is. And then, they need to identify who has access to it. And really, what it is is they should really adopt a least privileged access model. Only people that have access to that data should be the ones that have access to that data. It's too easy for organizations to drift with security. And we need to be able to make sure that they actually narrow that security down and have full control. It's almost as if you're dealing with a patient. You need to be able to have a finger on a pulse, understand what is happening in your organization. You may not have a breach, but you may have internal bleeding.
And with the best will in the world, breaches will happen. So how do organizations prepare for those breaches?
Two phases, really. You need to be are to understand how that breach happened. And a breach can happen from a long way back. An attack is something that can happen very quickly. But the setup for it was probably a long way before-- maybe an insecure account or a service or something that has failed to be updated. But then, when the attack happens, it's very, very quick.
So you need to be able to see across your entire organization and understand it. But you also need to be ready and respond in a timely fashion. And that's the big difference with GDPR. We've been quoted 72 hours to respond. Now, again, the difference with GDPR is that there's a joint ownership now with data processor and data owner. And you need-- as a data owner-- to be able to correspond all of the different breach information from your processes internally and externally. So 72 hours is not a long time.
So what you really need to do is delegate out rights and alert quickly. And then, have visibility of what happened so you can know the scope.
Let's think about roles and responsibility within an organization. Is it possible to apply particular roles and responsibilities to particular business functions?
Let's start with the most important one in this, which is the data protection officer. That's a unique role, especially in GDPR, because they have to be of a very senior person. They have to have the rights and responsibilities and the duty of care of the data subjects in mind, rather than their business. There's not someone that you can sack for reporting. Their job is to report to the data commissioner, which in this case in the UK is the ICO.
So their job is then to coordinate efforts, both in understanding the risks, and then also coordinating responsibilities. And to do that, they need to be able to delegate out those responsibilities and have a working model.
So final question, Colin. Quest, as an organization like all the organizations out there, has to do itself with GDPR. So based on what you've done-- some of the things you've done right, possibly some of the things you haven't done right-- what one lesson would you share with the viewers out there?
Luckily, Quest is very blessed with the fact that we have a lot of technologies to help us solve the problems already. So it's early days for Quest as well. We've already gone through the process, but delegation, but understanding and having a quick response or reporting, knowing what is going on. It is no good just relying on identity solutions, for example, as your only concept for knowing who has access to what. You need to be able to understand quickly who is actually doing what and where it is.
And the other thing is consolidation, removing risk. So being able to actually place all the subject data into a central location or central locations. Shadow IT is a big problem within organizations. And luckily, in Quest, we have our tools that prevent that. We're already doing that as part of our normal business practices. But that's how we've done it so far, but it's a journey we're on for the next few months.
06:25
