What is GDPR?
The European Union’s General Data Protection Regulations (GDPR) went into effect on May 25, 2018. The law governs data protection and privacy for citizens of the EU and aims to hand control over personal data back to individuals. The penalty for non-compliance with GDPR can be significant depending on the size of the organization. The GDPR sets out 7 key principles that should underlie any organization’s approach to processing personal data:
• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimization
• Storage limitation
• Integrity and confidentiality (security)
Do EUCAs, such as spreadsheets, present a compliance risk under GDPR? Yes. EUCAs are frequently used for data storage processing so it’s inevitable for data relevant to GDPR to end up in an Excel spreadsheet or Access database. Enterprise systems are usually rigid when it comes to meeting the diverse needs of different users and groups, especially as they change over time. A large percentage of users across the functional spectrum export data from financial systems and HR systems and project management systems and dump that data into one or more spreadsheets in order to further process it. This is when data leaves highly controlled and secure enterprise systems, and it enters an environment where sharing is widespread, and controls are very sparse.
It is in this environment that the company carries additional risk of breaching the mandates of GDPR. Given that businesses are not going to stop using spreadsheets or other EUCAs anytime soon, and the end user is no more likely today to comply with company policy as they were before GDPR. There is now a growing need for a reliable and effective way to identify and mitigate the risks associated with non-compliance, while also preserving the efficiency and the utility of EUCAs throughout any given business cycle or process. What can you do to bring data in EUCAs under control? It’s important to remember that GDPR is not designed to prevent you from storing personal data. Rather, GDPR mandates that you retain control over it. In order to govern EUCAs and neutralize the risks they pose specific to GDPR, businesses need to:
1. Ensure Data Policy Covers EUCAs – Data governance, risk and compliance teams along with other stakeholders need to ensure that their data protection policies cover EUCAs.
2. Discover the Population – EUCAs are often out of sight and duplicated easily and needlessly. Organizations need to find and create an inventory of EUCAs that are stored in shared and widely accessible locations in the organization.
3. Analyze Content – Analyze content to understand if personal information or sensitive data is in use. If so, organizations need to understand whether it is a one-time data dump, or if it is periodically and repeatedly used to store sensitive data.
4. Assess the Criticality – EUCAs are an essential part of many business processes and it may be hard, often impossible, to replace them. Businesses need to assess the purpose and usage of such EUCAs to ensure that they can be subject to the appropriate level of scrutiny and control.
5. Track Changes, Manage and Review – The long term goal for a business should be to ensure critical EUCAs are version controlled with an ability to get an insight into content change history. EUCAs should be periodically reviewed to ensure that any changes are well understood and the EUCAs continue to function as expected.
How Does Apparity help with EUCA governance?
Most regulations share common philosophies that mandate that at any given time, organizations are in control of their data and processing assets so that risk is mitigated. The Apparity platform, with its Discovery, Registration and Active Management modules, helps businesses implement effective EUCA governance and controls. Apparity’s configurable nature aligns to the mandates of unique policy and procedural demands from industry and government regulatory bodies.
• Automated solution that finds, catalogs and analyzes EUCAs and EUCA data.
• Intelligence groups related EUCAs to easily identify those EUCAs that may be responsible for the iterative and/ or periodic duplication of sensitive data and content.
• Discovers database connections made by EUCAs allowing companies to understand external data sources.
• Automatically updates the Apparity Inventory Management System (AIMS) with the Discovery results.
• The Apparity Inventory Management System (AIMS) Registration module allows the EUCA governance team to design and build an online assessment model that allows users to assess the criticality and purpose of the EUCAs they are responsible for.
• The registration process can then be used to automatically determine the level of controls that should be assigned to an EUCA.
• The Registration process, combined with the systematic oversight provided by Discovery, ensures that the Apparity Inventory Management System (AIMS) helps companies maintain a comprehensive, accurate and up-to-date listing of all the EUCAs that present a GDPR risk to the organization.
• All spreadsheets and access databases that are deemed to present the highest possible risk to the organization can be subject to the rigor of ‘constant compliance’, with real-time tracking, version and change management controls.
• The Apparity Active Management module allows organizations to capture every significant change made to a high risk EUCA, ensuring an on-demand change management review and approval cycle with workflow that is tightly tied into the approval cycles demanded by the organization’s EUCA Policy.
• For some types of EUCAs, the Apparity ‘fingerprinting’ technology ensures that regardless of where a user saves, moves, names or renames the EUCAs they are working with, Apparity will track all copies and the sensitive content contained within those EUCAs.