Have you ever stopped to think about how much personal data is floating around the world or in your company’s databases? You may have decades’ worth of salaries, addresses, job applications, social security numbers, credit card numbers and on and on. If you factor in social media groups where we’ve willingly handed over our personal information for many years, then the amount of personal data stored by companies is mind-boggling! Companies are sitting on mountains of what I call “fat data,” or data that’s rich with sensitive personal information.
Companies will soon, however, be held to a higher standard when managing personal information. The end user will have more say in how their personal data is managed and where it’s being stored.
In just about two months, the spotlight will be shined brightly on companies who manage European Union citizen’s data with the enforcement of GDPR, the EU General Data Protection Regulation. Penalties for non-compliance are steep with potential fines of up to 20 Million Euros or 4% of annual revenues. For that reason, and several others, U.S. based companies are taking GDPR seriously. Facebook, for example, is rolling out a global privacy center in response to GDPR, giving users a single location where they can manage their privacy settings.
GDPR gives EU citizens more control on how their personal information is used, even providing the ability to have their data expunged completely under the “right to be forgotten” provision. Companies will have to comply if an individual requests that their data not be used for any purpose other than to provide the end user with a product or service. Because this new rule impacts how data is used for testing purposes, gone are the days of free wheeling use of anyone’s data for the testing of applications.
Developers and testers take notice – GDPR is watching
It’s time for organizations to take a close look at how their development teams are using sensitive data when testing. A recent survey indicates that most companies are woefully unprepared for GDPR, most not even having a plan in place to begin their complex compliance journeys. Having worked in this industry for many years and specifically with compliance products, I know that having some compliance plan in place is better than having no plan. If a security breach occurs with any of your databases, even those used for testing, you’re going to attract the attention of regulators from all sides of the globe. If your company is taken to task for a breach, it’s better to show that you have a plan and are moving towards compliance, even if you are not yet fully compliant.
Compliance is actually a low bar in terms of data security. Companies need to adopt far stricter controls than what is specified in most compliance regulations. PCI-DSS, for example, is a mandate to get companies to provide stricter controls when processing account data and primarily credit card data. GDPR is slightly different in that it gives more power to the owner of the data, the end user. This regulation will have a far-reaching impact on any global company, regardless of their geographic location. If your organization or company stores EU citizens’ data, then GDPR affects you.
Where to begin
First, don’t wait for your compliance officer to come to you. If they haven’t talked to your team about GDPR, then talk to them about how GDPR may impact your company. Ask these questions:
- Does your company store EU citizens’ data on any database within your company?
- Where is your sensitive data stored? For example, does your company use a third-party provider to store your data and if so, do they have a GDPR plan in place?
The initial challenge with GDPR compliance will to be to know where your personally identifiable data (PII) is stored. Most companies have no idea and will need to identify tools that can help them scan their databases for PII data, noting if it’s that of EU citizens.
I believe that GDPR is actually an opportunity for companies to put their “test data” houses in order. The new legislation is will pressure companies to know where PII data is stored, how many copies, and what safeguards are in place to protect it. Test data is an appendage to production data and should be managed as carefully as production data. GDPR can be a catalyst for companies to implement a more thorough test data management solution. And furthermore, taking the proper steps to comply with the GDPR is not only an opportunity for your company to further invest in technology, but it also enables trust and loyalty with your customers.