Six basic strategies and six key messages to prepare you for GDPR.

Do nothing

This may sound odd at first, but remember that not all data needs to be protected. This underlines the importance of identifying and classifying data as a foundational step in any data-protection plan.

Manage access to data in a central store.

Personal data is commonly centralised in network file shares, on web servers and in enterprise content management systems. Access is provided only to users who are authenticated and authorised.

Monitor and filter data as it is being accessed and distributed.

Monitoring and filtering technologies such as data loss prevention, email and web security, database activity monitoring, and networkbased monitoring and analytics are used to gain visibility into the personal data that is being accessed and distributed across the organisation’s networks. These solutions are also designed to flag data movements that are potentially in violation of policies for security, privacy and regulatory compliance, and to guide proper responses.

Encrypt the data.

The use of encryption to protect the confidentiality and integrity of personal data is extremely common in every place that data can be found: in back-end systems, on the network and on a wide variety of endpoints. A unified approach to managing the lifecycle of encryption keys is essential to support greater scale of encryption, and to reduce the total cost of ongoing operations and management.

Substitute non-data for the data.

In some scenarios, personal data is best protected by taking it out of the business process in the first place, using technologies such as tokenisation, format-preserving encryption or data masking. Tokenisation, for example, is a process that substitutes unique, randomly generated values (tokens) to reference personal data (such as payment card data), while maintaining the length and format of the original data to minimise the number of changes required to business processes.

Apply persistent controls to the data.

Rights-management solutions are designed to follow the data itself, providing controls over actions that may be taken on the data even after it leaves the boundaries of an enterprise-managed computing infrastructure.

An opportunity, not a threat.

• The same security controls can be used to protect any sensitive data (not just personal data)

• Built-in security inside and out saves time and money, and reduces risk

• Security controls that form part of your GDPR compliance strategy should be seen as adding value to your business

Personal data discovery.*

• You need to discover the personal information you hold; where is your data?

• Remember that personal information doesn’t just live in your database, unstructured data or files; an individual can be identified by other data, such as their MAC or IP address, or by metadata

Best practice.

Adhering to best-practice security should be your default behaviour.

• Security should be the priority across all lines of business and amongst all employees – including IT

• The days of “If it ain’t broke, don’t fix it” are over. Unpatched and misconfigured systems are too great a liability

• Network security is not enough; protect all your data!

Security controls.

• The number of security controls should be in proportion to the level of risk

• If you have lots of sensitive personal data, you will need a high number of controls

Encryption.

Encrypt personal data, everywhere, all the time.

• Encryption must be matched by state-of-the-art access control

• Key management is essential

• “Always on” cryptography increases data security

• You don’t have to compromise security over performance

• On-chip hardware encryption in the CPU has been part of Oracle’s SPARC processors for generations and comes at no extra cost

• Many Oracle and third-party offerings are leveraging this functionality right now

The countdown.

• Fines will reflect the extent of organisational and technical measures

• You don’t have to wait to perform complete (sensitive personal data) discovery; you should already know which of your applications are likely to contain the most sensitive personal information

• Your company should act now to meet the new regulation – but being a security exemplar should always be a business priority (not just a GDPR exercise)