You won’t have missed the fact that General Data Protection Regulation (GDPR) has now come into force. With the penalties for non-compliance strict and many businesses still attempting to understand the implications of the new regulations, two industry experts have offered their advice on what it all means.
Tamzin Evershed, Senior Director and Global Privacy Lead at Veritas
With the deadline for GDPR compliance finally here, businesses must be able to demonstrate that they are managing and protecting personal data in a compliant way and be able to meet requests from individuals exercising their new and improved rights over their personal data. According to our latest research, two in five (40%) UK consumers are already planning to take advantage of their data protection rights within the next six months, yet the majority (79%) don’t believe that organisations will be able to find and/or delete all of the personal data that is held on them.
Under the new laws, requests from individuals to exercise their rights over their personal data must be answered within one month. Companies that have failed to prepare properly will face difficulty meeting this time-frame. To have a chance of meeting the timelines for data subjects’ requests, businesses have no real choice but to embrace technology that helps them to locate personal data quickly and accurately across different platforms, search through it and manage execution.
Very few businesses have full insight into all the data they hold and so employing tools that can help them locate and manage it is critical. Businesses that fail to recognise the importance of responding effectively and efficiently to data subjects’ requests will be putting their brand loyalty, reputation and profits at stake. Failure to meet a data subject’s request is a breach of the law that is obvious to the requester and is therefore much more likely to lead to complaints to the Information Commissioner, court action and negative publicity.
Marcin Grabinski, EMEA Technical Solution Specialist, Compuware
Many companies remain either unprepared, or more worryingly, unbothered by the consequences of non-compliance with GDPR. The reality is that soon after the legislation comes into force, we’ll see an industry giant slapped with a major fine, serving as a wake-up call for millions of businesses that GDPR-compliance is non-negotiable.
One of the main problems we’re seeing is that many organisations are simply unaware of how certain activities will leave them in breach of the regulation. For example, using live customer data to test new applications is commonplace, allowing businesses to understand how a digital service will perform once it goes live. However, problems arise when the crucial practice of masking customers’ personal details is overlooked, rendering companies non-compliant with GDPR unless they’ve asked for explicit consent to use their data in testing environments.
Additionally, businesses faced with customer requests to erase their data under the new ‘right to be forgotten’ rule risk non-compliance even if they think they’ve deleted the relevant data, due to a lack of understanding of how customer data is siloed on the mainframe. The complexities of navigating the mainframe environment mean that it is very possible that traces of customer details will remain in long-forgotten databases despite efforts to delete it, especially when data has been accrued over many years.
Organisations must improve their data governance capabilities to avoid falling foul of GDPR – especially on the mainframe, as that is where most customer data resides.
That might seem like a burden, but in addition to supporting compliance with GDPR, modernised approaches can help businesses to better handle and understand data collection and management, leaving IT teams free to concentrate on keeping pace with business innovation; creating a win-win scenario for both organisations and their customers.