Organisations across the EU are already expending significant resources on storing and managing dark data, but with the GDPR on the horizon, the importance of keeping it under control is higher than ever.
From May 2018, all businesses that process any form of personal information will need to comply with a new set of data protection requirements that, among a variety of measures, will force them to take action on the growing issue of ‘dark data’.
What is dark data?
Dark data is the information collected by an organisation that remains unused, unanalysed and without any clear owner.
Over time, dark data accumulates as content is gathered through manual and automated processes. The majority of dark data is unstructured – not organised in a pre-defined manner – and is difficult to analyse, residing in a range of unsearchable formats.
Organisations often retain dark data for compliance purposes, or on the assumption that this data may become useful in the future. However, most businesses have neither the resources nor the inclination to manage and analyse this data to draw any insight from it. Instead, many organisations simply buy more storage in an attempt to solve the problem, leading to the hoarding of useless data in back end systems.
In many organisations, this oft-forgotten data is insufficiently protected and for this reason, is increasingly targeted by cybercriminals.
Examples of dark data:
-Call notes & meeting minutes
-Presentations, research & reports
-Customer and account information
-Scanned and photocopied documents
-Old document versions
-Previous employee information
-Unmonitored log files
What are the GDPR requirements for dark data?
The General Data Protection Regulation (GDPR) is a new European Directive designed to improve the way that organisations collect, handle, process and store any form of data that contains personally identifiable information (PII).
In preparing for GDPR compliance, many organisations are focusing solely on how to safeguard structured data. Securing data in core systems such as CRM, ERP and content management platforms is essential and, in many cases, relatively straightforward. Identifying, managing and protecting vast quantities of unstructured data can pose a more significant challenge however.
To comply with the GDPR’s multitude of data requirements, organisations need not only to have controls in place to protect dark data, but also have mechanisms to identify, analyse and remove it. The costs of discovery and processing of dark data for most organisations are significant. In the event of receiving subject access requests from individuals who ask for visibility of the information being held on them, these costs will multiply rapidly and, in some cases, it may not be possible to fully satisfy them.
How can your organisation prepare for the GDPR?
The GDPR is the perfect opportunity for organisations to get their information security in order, and in the process, make tangible savings on data management and discovery costs. Redscan offers a range of services to assist with GDPR compliance.
A GDPR Data Readiness Assessment is a good starting point for any organisation wanting to understand its level of GDPR preparedness and can help identify the type of data (both structured and unstructured) being held, whether there is a legitimate interest for holding it and its risk of being compromised.
Achieving Cyber Essentials certification, a government-endorsed cyber security standard, is recommended to demonstrate good practice. So too is commissioning a regular penetration test to identify and help address more complex vulnerabilities pertaining to technology, people and processes.
Proactive breach detection
An effective way for organisations to increase visibility and improve data protection is to implement a 24/7 network and endpoint monitoring capability. ThreatDetect™, Redscan’s award-winning managed detection and response service, combines certified security expertise, leading detection technologies and up-to-the-minute threat intelligence to help identify breaches and report them within the 72-hour timeframe mandated by the GDPR.