If digital businesses haven’t already been preparing for the European Union’s General Data Protection Regulation (GDPR), the time is now. The regulation was adopted in April of 2016 and will officially go into effect on May 25, 2018.
Despite the advance notice and warnings given, the range of GDPR preparedness is still very broad, according to Richard Macaskill, product manager at Redgate Software. Preparedness ranges from companies that have invested significantly in training and tools, to companies who are taking a riskier path and just waiting to see what they can get away with. The latter approach is troubling because there is an up to 4 percent fine of annual global revenue or €20 million (whichever is greater) if digital businesses don’t comply.
“I think it’s safe to say that organizations should be much further along than they are. Under GDPR, you need to be able to articulate what the data is, where on your network it resides, what controls you have for protecting it, and the measures addressing mistakes/breaches,” said Adam Famularo, CEO of data governance solution provider erwin.
According to a recent survey conducted by erwin, only 6 percent of enterprise respondents indicated they were prepared for the regulation. In another industry survey from data backup, protection, recovery and management provider Commvault, only 21 percent of respondents believed they had a good understanding of what the GDPR actually means.
The problem, according to the Commvault study, is that businesses don’t understand their data. Only 18 percent of respondents understand what data their company is collecting, and where it stores that data. “For a long time, businesses just collected more data than it needed to and retained it much longer than it should with the hope that someday it is going to provide some kind of value,” said Nigel Tozer, solutions marketing director, EMEA at Commvault.
Part of what is still unknown about the GDPR is what happens once it goes into effect. The Commvault study found 17 percent of respondents understood the potential impact GDPR will have on the overall business. That lack of awareness is causing some businesses not to realize how serious this will be. Every business of every size has to comply with these regulations. It doesn’t matter if you are just a plumber. If you collect and store information about an individual in the EU, you have to comply, according to Tozer. While it is going to be impossible for a regulator to go in and audit everyone to see if they are compliant or not, that doesn’t mean businesses should just ignore the regulation.
The GDPR regulator body gave businesses two years to get ready and start complying. By May, businesses need to show they have made significant progress towards GDPR compliance. According to Seth Dobrin, chief data officer for IBM, a lot of businesses are still trying to figure out what “significant progress means,” but the most important thing is for businesses to start making changes. “Starting today is better than not starting at all,” he said. “At least you are showing some progress.”
According to Commvault’s Tozer, a good place to start is fixing the biggest hole first. Identify the weakest link and start directing some of the efforts there, he explained. For example, if a company is worried about a data breach in a particular area, it should try resolving that first before going forward.
IBM’s Dobrin suggests a complexity reduction exercise. GDPR is not about all the data that resides within a company; it is about all the data that pertains specifically to individuals. Once businesses can reduce that complexity and understand their personal data, they can begin a data discovery exercise to figure out where the data is, what state is it in, and what needs to be done to get it GDPR ready.
Reducing complexity is also a great way for companies to “clean their house,” according to Noam Abramovitz, head of product and GDPR product evangelist for IT operations company Loom Systems. Once a business understands where everything is stored and what they have and don’t have, they can have a conversation about what they want to collect and archive, and form a strategy on how to maintain compliance.
To understand what you have and where it is, businesses will need to conduct a data audit or data mapping exercise, according to Redgate’s Macaskill. To ensure your data map is good and provides proper visibility into the data and that is can maintain a true view.
“By now I would hope that companies are already identifying the ways they currently hold and use data, and assessing how that will need to change in the future. Policies can be changed quite quickly in theory, but products take time to update and prove. In-flight projects will be impacted by the need to change ways of working and new projects will need estimating and resourcing with GDPR in mind,” said Dan Martland, head of technical testing at Edge Testing.
A lot of the first steps toward GDPR preparedness also revolve around education. According to business intelligence and data management provider Information Builders, businesses need their employees to understand their risks and understand how their projects impacts personal data. Developers and IT managers can do their businesses a big service by just being aware of the regulation and what it requires, and understanding what can be done in terms of portability and privacy of data.
What is also important to understand is the regulation is not binary, according to Loom’s Abramovitz. “You are not going to wake up one day, go over a checklist and then you are finished,” he said. Compliance is something businesses will have to keep working on moving forward. Whether companies want to be compliant or just stay away from the EU, they need to start having an internal discussion of how the regulation impacts them.
“GDPR has been a significant time in the making and it can’t arrive soon enough – people need to understand how their data is being used to influence them and nudge them into specific choices and be given back the power to say they don’t want that to happen,” said Martland.
Technology’s role in GDPR
The law speaks about some approaches like encryption, anonymization, and sensitive data. A lot of these things are impossible to do without tooling, according to Redgate’s Macaskill. Tooling vendors have an interesting story here because they can help pave the way towards GDPR compliance.
Commvault’s Tozer said the biggest obstacle in complying with the GDPR will be data complexity. Having a tool in place can help businesses easily profile their data, understand what they have, where it is and what needs ro change.
“The biggest challenge in complying with the GDPR is the fact that personal data can be located anywhere,” according to the company. Commvault’s GDPR compliance solution provides backup, recovery, and archiving of structured and unstructured data in a single searchable solution. It features the ability to identify and map, preserve and protect information, prioritize security, reduce exposure, manage retention, provides role based capabilities, and includes audit and reporting features.
Loom Systems believes having that centralized place to store data, logs and events is essential for complying with the regulation. “If organizations don’t have a centralized solution, what will happen is they will have to be compliant for each and every server, which is tedious and requires a lot of manual work. It is also very dangerous if they miss some sensitive data that could make them no longer compliant with the GDPR,” said Abramovitz.
Loom Systems’ Sophie for GDPR is an AIOps platform that analyzes both log and unstructured machine data for visibility into IT environments. It includes a “find my PII” (personally identifiable information) feature, enables users to remove any identifiable information, can be stored on-premises or in the cloud, and helps comply with the right to be forgotten.
Redgate’s Macaskill explained with GDPR there is a movement from ‘trust me’ to ‘show me.’ Instead of just trusting that a business is going to take care of your data, they have to prove they can. To do so, they need to have a dependable, repeatable process and easily show where the data is and how it is managed. This requires businesses to have better insight into their databases. Redgate’s data solutions enable users to control and manage their database and database copies, protect sensitive data, automatically mask databases, monitor the data, and provide backups.
A lot of the solutions on the market correctly focus on a data management or data governance aspect of the GDPR. This is because for years, companies have been collecting information and piling up layers upon layers of data, according Jon Deutsch, VP and global head of industry solutions at Information Builders. In addition, a lot of it is collected in a very fragmented way. With personal data being the main aspect of the GDPR, organization’s are scrambling to understand what they have and properly management it now.
“An effective data governance program is critical to ensuring the data visibility and categorization needed to comply with GDPR. It can help you assess and prioritize risks to your data and enable easier verification of your compliance with GDPR and auditors,” erwin’s Famularo added.
Erwin EDGE (enterprise data governance experience) enables companies to discover and harvest data assets, classify PII data, create a GDPR inventory, perform GDPR risk analysis, prioritize risks, define GDPR controls, apply and socialize GDPR requirements, implement GDPR controls into IT roadmaps, and leverage a GDPR framework to prove compliance. “With erwin EDGE, companies can execute and ensure compliance with their current (as-is) architecture and assets and ensure new deployments and/or changes (to-be) incorporate the appropriate controls so that they are GDPR ready and compliant at inception,” said Famularo.
Information Builders takes a more tactical approach to complying with GDPR through three layers: strategic, planning and organization. Planning includes what are you going to do, how are you going to do it, and what is the scope of your work. The second layer involves understanding the data, where it lives, what it does, and how it pertains to personally identifiable information. The third is about analytics and monitoring. With the Information Builders Accelerator, users can pinpoint the greatest GDPR risks, understand where to start, and track how well the company is meeting expectations and goals in terms of compliance and timelines.
Tools can also help businesses continue to comply with the GDPR even after May 25. According to Edge Testing’s Martland, the GDPR will continue to be a major IT challenge over the next several years. To manage and assess ongoing GDPR compliance, he believes there is a need for a robust test data management strategy. “We believe that data management within the development process, particularly test data management, is the greatest source of risk for GDPR compliance. Access to realistic or representative data is an essential part of the development process: analysts need real data to investigate and elaborate requirements, developers need representative data in order to design and build the code, and testers probably need the largest datasets in order to create and execute their tests,” he said.
Lastly, if companies are looking for one solution to help prepare for the GDPR, IBM offers an end-to-end solution from consulting services to software that can help with discovery, consent management and breach notification. Depending on the entry point a company needs, IBM can help with data discovery assessments, GDPR readiness assessment, GDPR education and training, operationalizing GDPR readiness, and monitoring and reporting capabilities.
“This is not a one-and-done regulation,” said Dobrin. “This will be an ongoing journey that is going to require monitoring and reporting of compliance.”
GDPR and the future
While GDPR is coming from the EU, IBM’s Dobrin believes businesses should treat this as a global standard. Just applying this to your subjects in the EU is going to create more work than it would to apply it globally. “Putting all these processes in place and having it only apply to subjects that reside in Europe is going to be confusing and cumbersome,” Dobrin said. “We are applying this to our entire environment on all our subjects globally because that is the most effective way to implement it.”
According to erwin’s Famularo, in addition to personal data, the GDPR strengthens the conditions for consent, makes breach notification mandatory, expands rights of data subjects, applies the right to be forgotten, and introduces data portability. All of this can be beneficial to everyone globally.
“I believe GDPR will become the de facto data regulation globally. The issues of data governance and protection, specifically around personally identifiable information and portability will not be going away any time soon. And, if you look at regulations like HIPAA, businesses are motivated to action by regulations – and steep fines,” he said.
GDPR also presents the opportunity to better understand your customers, according to Information Builders’ Deutsch. By organizing and understanding data, businesses can get better insight into customers and customers can get better visibility into their relationship with the business. “Let’s take advantage of what we are doing and turn it into an opportunity to better our customer relationships,” he said.
Every enterprise is aware their industry is going to be digitally disrupted if it hasn’t been already, according to Dobrin. The primary way an industry or business gets disrupted is when a third party comes in, takes a different perspective on what clients are looking for by looking at things through their eyes, and provides them a better solution that is more outcome-based and satisfies their need. Dobrin explained the reason this disruption happens is because businesses don’t have a good understanding of their clients or their relationship with their clients. GDPR solves this problem by forcing them to truly understand their customer base.
“The GDPR is going to really help businesses understand their clients and build a conversation around how you can be better, quicker, faster, more efficient and more productive,” said Dobrin.
Who should be concerned about the GDPR?
Everyone who does any kind of business with anyone in the EU. While the GDPR is designed to replace the Data Protection Directive 95/46/EC and designed specially for European data privacy laws, this impacts businesses worldwide. “The biggest change is Increased Territorial Scope. This means the regulation extends beyond the continent to any company that collects or stores personal data of subjects residing in the EU, regardless of the company’s location,” said Adam Famularo, CEO of erwin.
Famularo adds the rules also apply to both controllers and processors, which means clouds are not exempt.
According to IBM’s chief data officer Seth Dobrin, the regulation is not about where you are based, it is about where your subjects, employees, clients, and contractors are. “It is a misnomer to ask how companies outside the EU should think about this or if they should approach it differently because it applies to your subjects and their rights. It pertains to anyone who has a subject that resides in the EU,” he said.
What type of data is the regulation protecting?
The GDPR applies to personal customer data or private individuals’ data. According to Dan Martland, head of technical testing at Edge Testing, that includes any form of data with information on customers, business partners, vendors, employees and members of the public. This type of data can live anywhere from emails, documents, files and photos to online stores, mobile apps, homegrown apps, data warehouses and spreadsheets.
“To ensure GDPR compliance, organizations need to document what personal data is held, its location, source, reason for storage, length of retention, use, access rights and how it is shared, both internally and externally,” Martland said. “They must then get consent from the data subject to have their personal data processed and, going further than before, detail what happens to their data once consent is granted.”
In addition, IBM’s chief data officer Seth Dobrin explains the regulation redefines personal identifiable information (PII) to a broader term called personal data. Personal data includes any data that can be used to directly or indirectly identify an individual. It includes all of the data within PII as well as things like GPS coordinates, IP addresses, bank details, social networking and medical information. “It is anything that could be used to potentially directly or indirectly identify you,” Dobrin said.