You should have done this anyway
If you are the person who looks at a piece of data wondering “which part is the riskful part” first, this is a site for you. If you are not, don't worry, you will get there in the end.
Why would you treat data with such distrust? What can be riskful in data?
Data gets more important every year. I remember that companies took over an ISP, just for customer personal data. In five years the price for a person went up from $5 to $15. These where the old days, everybody was open about this. It's another era now and companies living off your data are quiet about it and with reason. It is about a lot more money and about information which will be used against you.
The EU put together a regulation for you and these companies in order to improve the privacy of citizens. It's about time. It is called the General Data Protection Regulation.
It's a massive document enforcing lots of rules about handling data. It's a burden on any company and can be a momentum killer for every modern fast moving business.
As all law, this regulation lays down common sense and companies should have implemented it long ago.
After May 2018, you will be able to directly separate riskful data from harmless. You better become good at it.
Spotting riskful data does give you a competitive advantage over others; you'll see opportunities more aften, as riskfulness may imply value. Also, by telling riskful data apart from harmless content, you may be able to avoid risks, big financial risks if it concerns GDPR compliance.
Riskful data is mainly about your customers and your personnel. A company is loyal to only these two groups of people and in that order. Ignoring the riskfulness of riskful data, means that you will let down one of these groups or both; risking the continuity of your company.
There's no advantage in leaking
As the majority of your colleagues cannot tell riskful data apart form harmless data, some technical measures can be taken in order to allow May 2018 to pass by without too much hassle. Personnel should
- Access company servers via a VPN only, inside or outside the building. There is no other company network for people's access than the VPN. The VPN is the company network.
- Use 2-factor authentication for this VPN (no, not via SMS).
- Use file-services with mandatory data-expiration only.
- Be able to access no personal information of anybody other than that which is absolutely necessary for doing his or her job.
- Be able to access all personal information needed to do his or her job based on automatically anonymised data.
- Not be able to send attachments in e-mails.
- Not keep documents for longer than a few days.
- Be comfortable with the thought of losing his or her laptop or phone.
And as a company one:
- Should avoid storing personal information of customers. This is entirely do-able; most browsers fill in address-forms anyway, there is no need for storing names and addresses in a server.
- Should never use the customers e-mail address for the login-name. It is a poor practice anyway, but it also gives away some personal data upfront.
- Must ask for explicit permission if personal information is stored.
- May ask customers to enter fake names, for personal data as well as login names and e-mail addresses.
- Use first names only in in-company web-sites. In order to guard personnel data carefully, a company is obliged to store personal data of personnel by law, only first names or similar weak pseudonymisation should be used in internal reports and so called intranets.
About this title
The first four or five titles were written in some kind of rage after visiting the Big Data Expo, Utrecht 2017. I then knew about GDPR and had implemented various mechanisms to avoid running risks. The commercial heavy lifting on that expo was terrible. People should be informed about GDPR without FUD.