Coming into force on May 25, 2018 is the long-awaited European General Data Protection Regulation (GDPR), which will change how businesses handle data on their customers and employees. In this ever-evolving world of data privacy, it’s important for companies to not only gain a strong understanding of GDPR, but understand where their data is located and what steps need to be taken to safeguard and protect that data.
What is GDPR?
The EU GDPR is the most important change in data privacy regulations in 20 years, since it replaces the Data Protection Directive 95/46/EC, which was put in place in 1995 for individuals with regard to the processing of personal data and on the free movement of data. The EU GDPR is designed to enhance data privacy laws across Europe, changing the way organizations approach citizen’s data privacy.
According to Dimitri Sirota, CEO of data protection and privacy company BigID, the GDPR is extremely specific and there are about 99 ways for companies to get in trouble or “miss the mark” if they are not compliant. Penalties for organizations in breach of GDPR is up to four percent of annual global turnover or €20 million, whichever is greater. This is the maximum fine for noncompliance, and it’s imposed for the most serious infringements like not having sufficient customer consent to process data or violating the core of Privacy by Design concepts, according to eugdpr.org.
As an example, the GDPR requires that every individual, European resident or citizen in the world, has a legal right to their data. They can request all of their data from any company, and that company needs to provide the data within 30 days, said Sirota. It also allows any individual to request their data to be deleted from an organization.
Jean-Michel Franco, director of data governance products at big data integration company Talend, said that GDPR also mandates organizations warn their people about data leaks — and they have 72 hours to do so.
Simply put, the GDPR is all about data privacy and protection, and any national company needs to figure out what the GDPR means specifically for their business, added Sirota.
Are organizations prepared for GDPR?
The broadened privacy rights and fines for noncompliance are just part of the changes that come with GDPR, yet many companies have no idea what is coming their way, according to an IDC Research survey conducted in May 2017.
The survey found that a quarter of the 700 surveyed European companies admitted they were not aware of GDPR and more than half (52 percent) are unsure of the impact on their organization.
Since there are 99 articles to GDPR, Sirota said some enterprises tend to focus on specific elements of the mandate, while others are becoming more ambitious and digging into all of the requirements.
“Organizations want to be able to take control of their data, and account for their data,” said Sirota. “There is no other way to be accountable to your customers unless you can know what data you collect on that individual, [so] more ambitious companies are [realizing] that they need visibility into the data.”
How can organizations get ready for GDPR?
To start, the regulation mandates that if you have significant data, you need to elect a data protection officer. However, if it is a large organization, one person should not be responsible for everything done with private data within the company, so it’s a matter of delegating the authority to the right people, according to Franco. ComputerWorld UK writes that there should be two roles dedicated to data protection: an individual to act as a contact point for the data protection authority and data subjects, and a data protection officer who will make sure processing operations are compliant.
IBM also developed a five-step approach for preparation for GDPR, which breaks down into separate steps: assess the GDPR readiness, design an implementation plan, transform the organisation wherever enhancements are needed, operate along a framework designed to ensure compliance, and conform on an ongoing basis to GDPR standards.
From a security perspective, Sirota said technology today doesn’t focus on the data. Most of the security technology today is focused on the endpoints, the application, the server and the network, he said.
“What I think companies are realizing, is if they want to protect that particular asset, you need to have some safeguards around that asset,” said Sirota. He thinks that this is the next phase for companies as GDPR approaches.
“Protecting the network is not the same as protecting the data, and the fact that this regulation and this huge penalty is a shadow, [it’s] forcing companies to rethink about how they track, account, manage the data they collect on their customers and employees,” said Sirota.
What technology exists for companies to utilize as they prepare for GDPR compliance?
Since this is one of the more dramatic regulations in history, said Sirota, we should expect to see a wave of new technologies specifically geared toward the better management and protection of identity data.
There is software and technology available today that can help, like privacy impact assessment tools. There is technology geared towards the discovery, protection and governance of identity data. These tools can give companies the ability to dig deeper, focus the microscope on data and give their business the intelligence they need to see how the data is getting used, and then take action around that data to derisk it, said Sirota.
“Privacy is all about confidentiality and being able to assure individuals that their data is not being misused,” said Sirota. “But again, you can’t do any type of assurance unless you know where their data is, so the privacy concerns that companies have are clearly about data, data loss and data misuse.”
Additionally, it’s important to address key requirements around data inventory and portability, which is why both Talend and MapR technologies are working together to create a new governed data lake solution to help businesses accelerate their GDPR readiness, according to Franco. He said that about 50 percent of companies affected by the GDPR will not be in full compliance by the end of 2018, which is why the new data lake solution is capable of meeting the GDPR’s data storage, inventory, protection, retention, and security requirements.
While it’s not the only way to regulate and protect data, Franco said that Talend believes it’s a way to centralize the process and it lets companies discover how the data is being captured, shared and managed.