As we explained in an article earlier this week, the new European General Data Protection Regulation, which goes into effect next May, has wide-reaching implications for data center operators in and outside of Europe. We asked experts what steps they would recommend operators take to prepare. Here’s what they said:
Ojas Rege, chief marketing and strategy officer at MobileIron, a mobile and cloud security company based in Mountain View, California:
Every corporate data center holds an enormous amount of personal data about employees and customers. GDPR compliance will require that only the essential personal data is held and that it is effectively protected from breach and loss. Each company should consider a five-step process:
- Do an end-to-end data mapping of the data stored in its data center to identify personal data.
- Ensure that the way this personal data is used is consistent with GDPR guidelines.
- Fortify its protections for that personal data since the penalties for GDPR compliance are so extensive.
- Proactively establish a notification and forensics plan in the case of breach.
- Extensively document its data flows, policies, protections, and remediation methods for potential GDPR review.
Neil Thacker, deputy CISO at Forcepoint, a cybersecurity company based in Austin, Texas:
Data centers preparing for GDPR must be in position to identify, protect, detect, respond, and recover in case of a data breach. Some of the key actions they should take include:
- Perform a complete analysis of all data flows from the European Economic Area and establish in which non-EEA countries processing will be undertaken.
- Review cloud service agreements for location of data storage and any data transfer mechanism, as relevant.
- Implement cybersecurity practices and technologies that provide deep visibility into how critical data is processed across their infrastructure, whether on-premises, in the cloud, or in use by a remote workforce.
- Monitor, manage, and control data — at rest, in use, and in motion.
- Utilize behavioral analytics and machine learning to discover broken business processes and identify employees that elevate risk to critical data.
See also: What Europe’s New Data Protection Law Means for Data Center Operators