May 25, 2018, will be a red-letter day for data compliance regulation in the European Union. No law like this has ever been formulated where noncompliance will lead to massive penalties. Any company or organization that offer goods and services to people in the EU, or collects and analyzes data tied to EU citizens, will fall under the purview of GDPR, no matter where these companies are.
In a nutshell, GDPR regulation will ensure:
Elevated personal privacy rights - Increased data protection for EU residents ensuring they have the right to access to their personal data, to correct inaccuracies in that data, to erase that data, to object to the processing of their personal data.
Enhanced responsibility for protecting data - A higher level of accountability of companies and public organizations that process personal data, providing increased clarity of responsibility in ensuring compliance.
Mandatory data breach reporting - Report of personal data breaches by companies to appropriate authorities must be done without undue delay, generally no later than 72 hours.
Steep penalties for non-compliance - Penalties, including substantial fines, whether an organization has intentionally or inadvertently failed to comply. This could be €20 million or 4% of global sales – whichever is greater. This could effectively put a company out of business.
If your organization will be bounded by GDPR regulations, you surely have your tasks cut out.
Yet, according to a Gartner report, “by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.”
Here are few things organizations can do to weather the May 25th, GDPR storm.
1. Realization of the Problem
To deal with the challenge, first, we must understand and appreciate the enormity of the problem. Many organizations are not strategically aligned with the GDPR regime that will be rolled out on May 25th, 2018. This means senior management and key stakeholders have not yet pressed the panic button. This could be a disaster in the making. An organizational mandate right from the top is the key and the first step toward your GDPR journey. Complying with all regulations would mean:
- Enhanced investment in your IT infrastructure and cybersecurity protection systems.
- Renegotiating contracts with all 3rd parties’ partners who deal with your customer data.
- Re-structuring your business process.
These are some of the very significant decisions, and unless backed by senior management, can never succeed. Data protection must become a board-level discussion and compliance should be seen as a strategic investment.
2. A Crack Team to Formulate the GDPR Compliant Strategy
A strategy that can look at the problem holistically is the key to delivering GDPR solutions. Problems get compounded when your company works in multiple geographical areas. Hire or engage the best of consultants to guide you through your journey, they will have the end-to-end view. Piecemeal initiatives could lead to false starts and misplaced priorities.
3. Process and Technology - How to Handle GDPR Sensitive Data
Getting ready for the GDPR is a complicated process, requiring outside advise and the help of your subject matter experts. While it is a daunting task, GDPR readiness projects will help you to take a closer look at what data you hold and how you deal with that data and information. Document what personal data you hold, where it came from, and who you share it with. By improving your business processes to protect personal data, you protect both your customers’ information and your own.
Data has to be secured across the entire lifecycle of the value chain to ensure there are no loose ends for a potential breach.
Figure 1: Ensure Compliance Across the Data Life Cycle
Collection, consumption, and sharing of data at all stages should adhere to new data governance policies responsible for GDPR compliance.
It used to be that Data Security was within the boundaries of the on-premises world, but with mobility and the cloud, customers and employees now have more business interactions with all kinds of apps and devices. In the new ways of doing business, managing your perimeter does not guarantee the protection of your data as it travels outside of organizational boundaries. Hence in this mobile first and cloud first world, your strategy must ensure protective measures are taken when data moves to mobile and cloud apps.
4. Data for Your IT Requirements (Testing, Training)
While securing your production data is the highest priority, a sound strategy is also required to ensure data released to non-production systems (either for training/testing, etc.) are adequately protected.
The strategy to adopt here should be:
- Consent: To stay clear of legal hurdles, always ensure customer data that makes its way to your non-production systems have been sanctioned by your data protection officer in terms of consent regulation. Consent of using data is a very important clause in GDPR, and this can be severely compromised when data is shared to test systems. Ensure this is taken care of upfront.
- Data Masking
Figure 2: Masking your non-production data
As per you inventory of data, mask all sensitive fields irreversibly and persistently ensuring there is no breach.
- Synthetic Data
Figure 3: Synthetic Data Generation
The GDPR will unleash a new set of rules and processes for how data is used in your lower environments. Increasingly, there will be challenges in getting approval to push production data to non-production systems, hence synthetic data generation techniques can be applied to mitigate this risk. Techniques to create business grade data for consumption of testing and training teams will greatly help organizations in dealing with the data conundrum in lower environments.
You can be GDPR compliant through a combination of people, processes, and technology. In an application economy, regulations can only help in maintaining minimum standards, however, the onus is on companies to do due diligence to protect your most critical asset, your customer information.