Security Experts:

Rethinking Toxic Data in Light of GDPR

Toxic data is sensitive information that you would rather not retain, but must for the sake of business operations.

Like chemicals used in manufacturing, toxic data is a necessary ingredient for a desired outcome. Yet it must be handled in a way that eliminates unintended exposure.

Some define toxic data as information that has already been lost and caused damage to the organization that was responsible for it. Examples include the loss of credit card information by a retail organization, illegal downloads of a motion picture, or theft of proprietary designs from a manufacturer. Others have warned that “calling data a ‘toxic asset’ sensationalizes the data security conversation into alarmist territory.”

The purpose of defining data as toxic is to call attention to the need to enhance the data protection around it. So the idea that the data isn’t toxic until it is lost is an inadequate way of categorizing it. While the word “toxic” has an alarmist bend to it, the evolving regulatory landscape provides a new reason to be alarmed.

The European Union General Data Protection Regulation (GDPR)

GDPR  Compliance

GDPR is a regulation intended to strengthen and unify data protection for individuals within the European Union (EU). It addresses export of personal data outside the EU in an effort to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulations within the EU. It was adopted on April 27, 2016 and enters into application May 25, 2018 following a two-year transition period.

At this point, you might be tempted to click away thinking that GDPR is irrelevant to a North American (or UK – thanks, Brexit) audience. But this regulation, similar to many US regulations, has far broader impact than the constituents of the enacting jurisdiction.

If your organization has offices or employees in the EU, sells to EU citizens, partners with EU-based organizations, or simply stores personal information of EU citizens, then you must comply with GDPR or you could face fines up to €20,000,000 or 4 percent of annual revenue (whichever is higher) and/or lawsuits from EU citizens.

GDPR increases the toxicity of personal data

According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."

Because of the severe penalties that EU regulators are armed with, the storage, protection and user self-service control of personal data needs to undergo a culture change to “data protection by design” rather than a focus on minimal compliance standards.

GDPR requirements specific to the handling of personal data include:

The “right to erasure” or the right to edit personal data stored about oneself.

• Persons must be informed why data is being collected, for how long it will be retained, and how personal data will be protected.

• In some cases, organizations will have to appoint a Data Protection Officer to monitor internal compliance.

• The right of data portability that requires the “data controller” to provide the data to another controller in a structured and commonly used electronic format at the request of a person.

These requirements place a significant amount of power in the hands of users and a significant burden on organizations or data controllers to implement data protection by design.

Dealing with the toxicity

The activities that will be most impacted by GDPR include online retail and marketing. These activities are often underpinned by a Consumer Identity and Access Management (CIAM) system that provides improved customer opt-in for marketing contact, convenient authentication methods, and marketing insights. 

Analyst firm Kuppinger Cole recommends that companies that are currently deriving benefit from CIAM must:

1. Perform a privacy data assessment

2. Create new privacy policies as needed

3. Plan to clean and minimize user data already resident in systems

4. Implement the consent gathering mechanisms within their CIAM solutions

Reducing the amount of personal data (point #3) subject to GDPR is a critical step towards minimizing the amount of risk that GDPR will expose. While the retail and marketing industries are most clearly impacted by GDPR, all online businesses with any customers residing in EU countries should take this critical step toward reducing the amount of personal data that is retained.

All businesses need to evaluate what exposure they have to GDPR and plan for the implementation of controls that will satisfy the requirements as necessary.

Operating a business in the 21st century means that most organizations will not be able to eliminate toxic data entirely. You have less than 14 months from the writing of this article to prepare for the increase in toxicity that GDPR represents.

Related: GDPR Affects Multinational Companies

view counter
Travis Greene, Identity Solutions Strategist at Micro Focus, possesses a blend of IT operations and security experience, process design, organizational leadership and technical skills. After a 10-year career as a US Naval Officer, he started in IT as a Data Center Manager for a hosting company. In early 2002, Travis joined a Managed Service Provider as the leader of the service level and continuous improvement team. Today, Travis conducts research with NetIQ customers, industry analysts, and partners to understand current Identity and Access Management challenges, with a focus on provisioning, governance and user activity monitoring solutions. Travis is Expert Certified in ITIL and holds a BS in Computer Science from the US Naval Academy.