Enterprises around the world are preparing to comply with GDPR, one of the toughest data privacy regulations in the world, when it takes effect on May 25 2018.
Businesses need to be aware that GDPR applies to companies worldwide, no matter where they are based, if they handle data concerning European citizens.
The definition of data is broad and applies to any that can be used to identify individuals – meaning hardly any personal data won’t be covered by GDPR.
Those organisations collecting data or employing third parties to do this on their behalf will need to make sure they can demonstrate compliance regarding how it will be used and if they use it for an unsuitable purpose they will be made to stop.
GDPR also requires public authorities that are processing personal data to appoint a data protection officer to monitor how it is being used and many businesses will need to do this too.
The regulations will require compulsory PIAs (Privacy Impact Assessments) to take place where there is a high risk of a data breach and there is also a requirement to report data breaches to the local data protection authority within 72 hours of it being found.
All software and systems will need to deal with stringent audit requirements which mean that they will need to have the ability to amend and permanently delete data if requested by the data subject.
Finally, data cannot be used for any other purpose other than the one for which explicit (not implied) consent was obtained.
Some technology companies, such as Commvault, are helping businesses comply with GDPR regulations.
We spoke to Nigel Tozer, Solutions Marketing Director EMEA for Commvault, about the best approaches to take when dealing with data and how to tackle the requirements of GDPR.
How can enterprises obtain better insight into their data?
It’s really important for your businesses to profile its data, only then can you understand your data well enough to secure, control and effectively use it to generate value. In addition to uncontrolled data-growth in datacentres, enterprises also typically use a mix of SaaS, third party services and multiple clouds. On top of this you can add data on laptops, which can also be considerable depending on your type of business.
This growth and fragmentation makes it even harder to get a handle on data, and for many enterprises, it seems just too difficult to try. While applications are usually well managed, up to 80% of data in a typical enterprise is unstructured and, according to AIIM, this is where organisations accept that the real problem lies.
Profiling unstructured data by content can provide insight into:
- Unsecured personal or sensitive data – clearly important with rise in cyber-crime and global privacy regulations
- Unnecessary data which consumes resources, such as high-performance storage, cloud billing back-up/DR systems and people’s time
- Valuable data sources that are currently not known about or under-utilised
The outcome of this process is remediation of these issues through automated policies, role-based workflows, dashboards and on-demand reports. Proactive management in this way is required to work at scale and is essential for data subject requests and in the event of a data breach.
How can better data insight improve their business outcomes?
Insights from data can help to drive out inefficiency and improve customer experience, both of which help to drive up competitiveness and are at the heart of digital transformation. In addition to these benefits, insights from data can also uncover new business opportunities or models, either in your current market or in an adjacent one.
Unfortunately, many (if not most) businesses don’t have good control of their data and typically do all of the following to some degree:
- Collect more data than is needed
- Retain data beyond its useful life or its stated data policy
- Create data copies with little or no control
The notion that all data has value needs to be tempered, as the opposite side of the same coin to value is risk. It’s important to note that value is easier to find if you are in control of your data first.
Take GDPR as an example. Many businesses are viewing it negatively as ‘more red tape’ but if controlling and centralising personal data leads to richer, better managed datasets, it’s actually a win-win outcome. There is less risk for the organisation, the opportunity to make savings from improved efficiency and the potential for new business and increased revenue.
How can enterprises simplify their management of data?
Most companies use many different point products to manage their data for many different reasons: Organic growth, M&A activity, management changes, vendor lock-in and new technology choices not supported by existing systems (cloud for example) – all of which drive data management related purchases. Consolidating these data management operations can drastically simplify the management of data in an enterprise and bring about many other benefits.
Multiple back-up products, availability systems tied to infrastructure and separate retention and compliance products all push up management overheads. They also create separate silos which are wasteful and costly. Attempts to gain insights from data, through content search and analytics, can also drive up silo acquisition and further add to complexity.
Consolidating all of these functions by using a single data platform instead of point products allows enterprises to simplify end-to-end data management and gain greater visibility and insight at the same time. It’s important that consolidation carries no infrastructure agenda or future agility could be stifled if you need to shift beyond your current vendor ecosystem – going multi-cloud for example.
In addition to simplifying your entire data landscape, consolidation in this way has a data-reduction impact which can be further multiplied by profiling your data and automating policies based on content.
How can enterprises reduce data privacy risks?
Traditionally, enterprises continually collect data and retain it, assuming it will have some future value. New global privacy and data breach regulations (not just GDPR) mean that personal data/PII now carries a significant risk.
Assessing your current state with respect to privacy with a Data Protection Impact Assessment (DPIA) is a good place to start. However, the answers provided in these reports are not definitive, as some of its output draws on subjective responses from staff. It’s also flawed as a ‘one off’ exercise. Enterprises will have many new services, planned or going live, plus changes to existing systems that include the use of personal data, all happening on a daily basis. Even before a DPIA style of report is published, it will be out of date.
Technology can certainly help take the uncertainty out of assessing privacy risks and also provide an on-going dashboard instead of a one-off report but care is needed. Content based searches don’t all provide the breadth of coverage needed by a modern enterprise. In addition, search technology can help find specifics reasonably easily but they are less good at finding types of data, known as entities.
With new data-collection possibilities linked to IoT, mobile and processing by machine learning and AI, it’s also very important for enterprises to employ people with the right privacy and governance skills in these areas, too.
How would you advise businesses to prepare for the impending arrival of GDPR?
There are many aspects to GDPR but from a data perspective you simply can’t become compliant unless you understand where personal data resides, the sensitivity of that data, who has access and how well it is secured. This is true for both structured and unstructured, wherever it resides.
For unstructured data, indexing, profiling and creating up-to-date dashboards and subsequent policy automation are a huge help; for search and entity extraction too. For structured data – databases and applications – leveraging recovery systems for dev and test makes these processes auditable and, importantly with such a concentration of personal data, secure. As a side benefit, you can also reduce time-to-market in this way.
GDPR is actually a great opportunity because much of what you need to do for GDPR is aligned to digital transformation. Both centre around customer data and effective control of data will produce richer information for your business. Customer trust is also a huge issue for the modern enterprise, so embracing GDPR in spirit, as well as to the letter, will go a long way to bridging the gap. Enterprises that fail to grasp the importance of understanding their data, will be more likely to be affected by data breaches and are also less likely to be successful with digital transformation programmes.
Lastly, if you do invest in technology to help with GDPR, make sure it also brings other efficiencies and benefits beyond helping with compliance.