Data Discovery implementation is the solution that provides an operative foundation for effective application and governance for any of the P&DP fulfillments
Data Discovery From the customer’s perspective
The customer, in his role of the data controller, has full responsibility for compliance with the P&DP laws obligations.
Therefore, the implementation of data discovery solutions with data classification techniques provide a sound basis for operatively specifying to the service provider the requirements to be fulfilled and for performing effective periodic audit according to the applicable P&DP laws.
They also demonstrate, to the competent privacy authorities, the customer’s due accountability according to the applicable P&DP laws.
The service provider particularly benefits from this approach
For its duty to detect, promptly report to the controller, and properly manage the personal data breaches concerning the applicable P&DP obligations
When the service provider involves subsurface providers, trace and operatively transfer to them the P&DP requirements according to the processing assigned.
When the service provider has to support the controller in any of the P&DP obligations concerning the application of rules and prohibitions of personal data transfer through multiple countries.
For its duty to operatively support the controller when a data subject exercises his rights; thus, it is required information about which data is processed or to implement actions on this data (correct or destroy the data).
Implementation of data discovery with data classification techniques represents the foundation of DLP and data protection, which is applied to the personal data processing to operate in compliance with the P&DP laws
Classification of Discovered Sensitive Data
Classification of data for compliance with the applicable P&DP laws plays an essential role in the operative control of those elements that are the feeds of the P&DP fulfillments.
This means that not only the nature of the data should be traced with classification but also its relationship to the P&DP law context in which the data itself should be processed.
The P&DP fulfillments, and especially the security measures required by these laws, can always be expressed at least in terms of a set of primary entities:
Scope and purpose of the processing
This generally represents the main footprint that influences the whole set of typical P&DP fulfillments.
For example, processing for administrative and accounting purposes requires fewer fulfillments in terms of security measures and obligations toward the data subjects and the DPAs compared with the processing of traffic telephone or Internet data for mobile payment services.
That’s because the cluster of data processed (personal data of the subscriber, his billing data, the kind of purchased objects) assumes a more critical value for all the stakeholders involved and the P&DP laws consequently require more obligations and a higher level of protection.
The Categories of the personal data to be processed
Note that the category of the data means the type of data as identified for a P&DP law.
Usually, this is quite different from the nature of the data that is, its intrinsic and objective value. In this sense, data categories include these:
- Personal data
- Sensitive data (health, religious belief, political belief, sexuality, and so on)
- Biometric data
- Telephone or Internet data
- From the point of view of the P&DP laws, the processing means an operation or a set of combined operations that can be materially applied to data; therefore, in this sense processing can be one or more of the following operations:
In the derivation of these, a secondary set of entities is relevant for P&DP fulfillments
The geographic data locations are allowed to be considered and used for the hosting of data.
According to the applicable P&DP laws, there are constraints and prohibitions to be observed, and this should be properly reflected in the classification of data to act as a driver in allowing or blocking the moving of data from one location to another one.
Categories of users allowed: Accessibility of data for a specific category of users is another essential feature for the P&DP laws. For example, the role of a backup operator should not be able to read any data in the system even though the operator role needs to be able to interact with all system data to back it up.
Data Discovery and Data-retention constraints
The majority of the categories of data processed for specific scopes and purposes must be retained for a determined period (and then erased or anonymized) according to the applicable P&DP laws.
For example, there are data retention periods to be respected for access logs concerning the accesses made by the role of a system administrator, and there are data retention periods to be respected for the details concerning the profiles defined from the online behavior of the Internet users for marketing.
Once the retention period has ended, the legal ground for retention of the data disappears
Therefore, any additional processing or handling of the data becomes unlawful.
Security measures to be ensured: The type of security measures can vary widely depending on the purpose and data to be processed. Typically, they are expressed in terms of the following:
Basic security measures to ensure a minimum level of security regardless of the type of purpose, data, or processing
Specific measures according to the type of purpose, data, or processing
Measures identified in terms of output from a risk analysis process, to be operated by the controller or processor considering the risks of a specific context (technical, operational) that cannot be mitigated with the measures of the previous points
Proper classification of the data in terms of security measures provides the basis for any approach of control based on data leakage prevention and data protection processes.
Data Discovery and Data breach constraints
- Several P&DP laws around the world already provide for specific obligations in terms of data breaches.
These obligations essentially require one to do the following
- Notify the competent DPA within tighter time limits.
- Notify, in some specific cases set forth by law, the data subjects.
- Follow a specific process of incident management, including activation of measures aimed at limiting the damages to the concerned data subjects.
- Handle a secure archive concerning the occurred data breach.
- Therefore, data classification that can take into account the operational requirements coming from the data breach constraints becomes essential, especially in the cloud services context.
Data Discovery Status
As a consequence of events such as a data breach, data can be left in a specific state that may require several necessary actions or a state where certain actions are prohibited.
The clear identification of this status in terms of data classification can direct and oversee any further processing of the data according to the applicable laws.