Why ‘Ghost Assets’ are Killing your GDPR Compliance
Ensuring Data protection and privacy is a critical function of IT in any organization, particularly as the number of data breaches occurring in organizations continues to skyrocket, increasing by 17% in 2021 compared to 2020.
From data destruction and reputational damage to identity and intellectual property theft, the consequences of a breach can be severe. Worst-case scenario, it can put you out of business, with the average company share price dipping more than 7% in the days after a breach.
But the financial threat isn’t the only reason to ensure better protection and privacy. Digital trust is a key enabler for online businesses to build a customer base, as public perception after a data breach can directly impact consumer confidence and enterprise growth.
In the UK and Europe, it’s been almost four years since Europe’s General Data Protection Regulation (GDPR) came into effect, giving individuals the right to say what companies can do with their personal data – such as their name, address, or phone number.
The framework was designed to harmonize data protection and privacy for organizations doing business in Europe, with GDPR applying to any company that “processes” personal or customer data. But do businesses have the processes in place to truly preserve their customers’ privacy?
Are businesses complying with GDPR?
Under the terms of GDPR, companies are split into two categories: data controllers, which collect and process personal data for their own purposes, or data processors, which process personal data on behalf of a data controller.
Businesses that do business in Europe and collect, store and use customer data have to comply with GDPR. If they don’t, there are steep fines to face – up to €20 million or 4% of global revenue, whichever is higher.
Amazon currently holds the reluctant title of the biggest GDPR fine ever received, handed a mammoth €746 million fine in July 2021 after the company was found to be improperly processing users’ personal data.
To comply with GDPR, organizations must meet several obligations. One of the most critical of these is to maintain a register and detailed information of processing activities along – such as how the data is collected, what for, who the data is shared with, and how long it’s retained.
There are plenty of other hoops businesses have to jump through, such as providing a legal basis for processing data, ensuring data security during processing, and notifying authorities and affected individuals within 72 hours of a data breach.
This long list of obligations goes on, and can only be met when IT teams have a complete and accurate list of all the IT assets they have in their environment – which can be tough when businesses don’t know how many connected devices they own, nevermind employees personal devices accessing the network.
GDPR in a remote working world
To truly comply with GDPR, businesses need visibility and data on all devices, software, and users. They must make sure all data that traverses the network is protected, which requires knowing where it resides, who’s accessing it, and what software is being used to process data.
Having a complete and accurate IT asset inventory as well as detailed information on all corporate IT assets is a big tick in the box in becoming GDPR compliant.
Unfortunately, two-thirds of IT managers don’t have such an inventory. In a typical enterprise, ‘ghost assets’ – assets that are hidden and assumed missing – comprise around 30% of the entire IT estate.
Shadow IT continues to be a problem for GDPR compliance. Research by Forcepoint discovered that 56% of employees between the ages of 18 and 30 years old said they needed shadow IT to get their job done, while 67% of them said shadow IT made their job easier.
Teams across the organization often circumvent IT and implement software and services without formal approval, which makes them almost impossible to track and protect. Businesses can’t protect something if they don’t know it’s there in the first place.
The move to hybrid workplaces has also complicated things, with teams having to manage potentially vulnerable, unprotected, and unauthorized personal devices that may connect to the corporate network while employees working from home.
IT asset management and the GDPR conundrum
GDPR is more than just having some policies and procedures in place, something that’s all too common to see in practice). To comply with GDPR, companies must ensure all assets that process personal data are in the scope of the GDPR program.
IT teams need full visibility into every device, software installation, and user, as well as the ability to document all of the IT resources. During a compliance audit, the business also needs to be able to retrieve that data quickly and efficiently to prove that they’ve taken the necessary steps to protect customers’ data and preserve their privacy.
It’s the reason why IT asset management (ITAM) has become even more essential to achieving GDPR compliance and protecting organizations.
Deep scanning technology can provide unprecedented insight across entire IT estates, making it faster and easier to scan, detect, recognize, and document every device on the network – even rogue devices that only connect briefly.
IT teams can essentially take back control of their own defenses, able to quickly identify vulnerabilities and apply patches and updates across the board to ensure security and data protection. Complete and accurate IT asset inventories can also be maintained for documentation, reporting and auditing purposes.
In case of a breach, teams can quickly determine what devices are impacted, where the devices reside, and who’s accessing those devices. They can then Isolate and shut down impacted devices in minutes to minimize data exposure.
GDPR just the tip of the iceberg
GDPR isn’t just affecting UK and European businesses, however, with the policy acting as a framework for new global data security and privacy standards.
China recently passed the Data Security Law (DSL), which has similar effects to GDPR and also requires companies to adopt a data classification system. In the US, California recently passed the California Consumer Privacy Act (CCPA), which stipulates consumer data privacy rights when interacting with companies.
All of these new policies have broad implications for industries in every sector, making effective tools and strategies for efficient and thorough ITAM integral to the future of the business.
Customers are increasingly being influenced by the extent to which they feel organizations can be trusted with their data. The ability to confidently demonstrate data privacy and security will be essential for earning customers’ trust and inspiring loyalty.
Roel Decneut, Chief Strategy Officer at IT asset management provider Lansweeper