Privacy Laws – Achieving and Maintaining Compliance

Published On: February 6, 2020Categories: Blog

I relish the moment when someone says to me “It’s not like the regulations say that I must find every last entity. So why do I need to discover where my data can be found in order to achieve compliance? What I have is enough!”


Let’s start by understanding why these regulations came into effect. Essentially, organizations were not being careful enough with our information – yours, mine, our friends – despite embracing corporate security policies. These policies were not enough to prevent the news headlines that we’ve been accustomed to. And so, new regulations addressing data, the use of, it’s security and ownership, were created.

If we delve into the GDPR, there are two significant activities that must be undertaken:

  1. Make your best effort in your attempt to achieve compliance.
  2. Maintain that compliance through your continued best efforts.

by “taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected“.

In simple terms, to achieve compliance, there are 3 main tasks:

  1. Make every effort (and be able to demonstrate that) to discover all repositories of personal data.
  2. All repositories of personal data are mapped to the processes that utilize them,  and those that are not used should be deleted.
  3. You have ‘legalized’ the remaining processes.

Again, in simple terms, to maintain compliance you must be able to show:

  1. That there is a continuous risk management process that encompasses the current data processing, the capability of the existing infrastructure, and the prevailing threat landscape.
  2. The implementation of additional ‘appropriate’ controls (as necessary).
  3. An acceptance by senior leadership (usually the Board of Directors) of the residual risk.

Point 3 above is key. The BoD can never use the phrase, “We didn’t know the data was there!” After all, they are ultimately accountable for the business, for the good and the bad.

The solution addresses the issues outlined above. We discover your unknown data which helps achieve and maintain this compliance, in the following ways:

  1. We find the lion’s share of your personal data in the initial discovery exercise – allows for immediate risk reduction;
  2. We help you map the personal data flow to business processes for subsequent legalization – achieve compliance;
  3. We ensure that your unauthorized personal data is not introduced – maintain compliance.

These three things provide ample evidence that you have met (or exceeded); 1) the demonstration of “state of the art and the costs of implementation“, 2) the necessary input into the risk management process, and 3) the BoD’s requirements to make appropriate decisions.

As you have probably understood, to truly understand what you do with your data, continuous visibility is paramount.