What Can You Do When All You Have is a Hammer Called DLP?

What Can You Do When All You Have is a Hammer Called DLP?

At Everteam, we meet with smart people in large organizations. Every week we find ourselves on calls and in conference rooms with business and IT executives talking about their information governance challenges. And it is no surprise that in recent months a lot of these conversations are about compliance with data privacy and retention requirements such as GDPR and NYDFS 500.13.

What may be a surprise is a very clear pattern we see in how organizations initially react to these requirements. Many of them start with a response from the internal IT team that boils down to “We can do this with our DLP (Data Loss Prevention) software.”

At some level, this reaction makes sense. Since part of the problem they need to solve is finding sensitive information (such as PII), a tool that includes the ability to search for that kind of information would seem the right solution. And most organizations have DLP tools and expertise in-house already. If DLP is the tool you have, and DLP is what you do, then a lot of problems look like DLP problems.

But did you know that DLP software solutions do not include key capabilities required to address the compliance issues created by regulations like NYDFS and GDPR? Here’s why.

Finding Sensitive Data is Not Enough

DLP tools provide a range of capabilities, one of which is to locate certain types of data and then monitor it. If that was all we needed to do, DLP software might be a good fit. But in reality, we need to not only locate sensitive information assets; we need to:

  1. Locate sensitive information assets
  2. Classify them as such
  3. Enrich the metadata associated with them
  4. Associate them with a record type based on our filing plan
  5. Manage them based on retention rules and dispose of expired items.

DLP solutions are not designed to do items 2, 3, 4 and 5.

Managing information based on privacy and retention requirements means more than finding sensitive information, it means classifying information assets and taking action on them based on that classification. Classification and records management is not the focus of any DLP toolset.

What is required is a software solution that includes auto-classification capabilities and records management functionality that allow you to manage sensitive information effectively after you find it. Because at the heart of emerging regulatory requirements is a need to have ongoing processes for managing how you handle sensitive information.

Thinking Outside the DLP Box

When we hear an organization say they are going to use their in-house DLP tools and resources as a means of addressing regulatory requirements, we know we are going to have tough conversations. Within the IT team are DLP experts who are confident that they can find sensitive information using the software they already own. And we agree, they probably can.

Their perspective is that it is a good approach for a first initiative, and will demonstrate they are making an effort to comply with the regulations. And it might.

But once located, their assumed approach is to process the sensitive information they locate manually. The DLP team thinks this is a reasonable approach to the demands of NYDFS and similar regulations. But it isn’t.

Manually trying to sort out the information once located and take action on it simply will not work at scale, and it will not be effectively repeatable.

NYDFS 500.13, for example, requires that information assets be retained for as short a period as possible; it demands the application of retention rules. DLP solutions offer nothing here, so once information is located, it will have to be manually grouped or categorized and assigned or associated with a retention rule. Then that retention rule will have to be evaluated against the assets associated with that rule.

The right toolset for this work needs to include the ability to find groups of data assets based on characteristics in their metadata or content, and then automatically classify them based on those characteristics. The toolset needs to have the ability to define retention rules and associate them with classes of data, and then apply those rules and process items that are past their expiration date. The toolset needs to include AI capabilities like natural language processing and machine learning, integrated with workflow capabilities for moving items and routing expired items for destruction.

Those kinds of capabilities are not part of the DLP toolset; they comprise an information governance solution designed to address compliance requirements.

As a software vendor, it can be hard to have an effective debate with the DLP team inside a company. They are experts at what they do, and they have the home-court advantage. They assume we are prejudiced (and we probably are!), so taking the “DLP is not the right toolset” position is assumed to be based on our interests, not our customers’.

But we are certain that our customers who proceed with the use of DLP software to address GDPR, NYDFS and other compliance requirements are entering a battle with the wrong weapon. Ultimately, they will not be successful in addressing fundamental privacy and retention requirements until they get the right set of software tools for the job at hand.

You can learn more about how Everteam Information Governance Solutions supports NYDFS by registering for our webinar: Hacking NYDFS Data Retention Requirements in Three Months.