Does your organization collect or process personal data on residents of the European Union? If so, you will be required to comply with the European Union General Data Protection Regulation (GDPR), which will require companies to dramatically change the way they collect, access, use, store, and transfer personal data.
For companies who haven’t started preparing for GDPR, the clock is ticking – the deadline is for compliance is 25th, May 2018!
Are You Prepared to Meet the Requirements of the GDPR?
The GDPR is complex – 88 pages of legalese (download the PDF). It’s a common belief that GDPR is a European Union issue and does not affect companies based in countries outside of the EU. That is simply not true – GDPR affects companies that process EU citizens’ data, regardless of where they’re based. And the penalties for failure to comply can be severe.
Finding a Compliance Solution
Many companies, such as government, risk, and compliance consultancies, offer a one-stop solution to compliance with the GDPR. However, not all of those companies are qualified to offer solutions to all types of businesses. GDPR is complicated, and its ramifications vary depending on the company’s business, industry sector, size, and other factors. Also, no one company has all the pieces of the puzzle, so you need to look for a company that offers a partner-coordinated approach.
GDPR is first and foremost a legal compliance issue dealing with data privacy, and the solution should not start with technology. It’s important to find a company that has built its business around the principles of data privacy and that also has a strong ethos of partnership. Such a company can bring businesses and vendors together to address the requirements of GDPR, from beginning to end. A good question to ask is, “Do you have Binding Corporate Rules1 in place?” BCRs are the EU gold standard for data privacy, so the answer to this question gives you a good starting place.
A recent study commissioned by NetApp revealed that 73% of European CIOs and IT managers are concerned about meeting the GDPR deadline — and 9% indicated that they still don’t know what GDPR is. Furthermore, only 37% of respondents have invested extra funds in data regulation compliance.
Regarding the UK and Brexit, there are still many unknowns. However, Karen Bradley, MP (the UK government minister for Culture, Media and Sport) confirmed in November of 2016 that the UK will opt in to the GDPR. No one knows what will happen when the UK finally leaves the EU, but the pundits suggest that at least certain aspects of GDPR are likely to remain in force.
It’s Not Too Soon to Get Started
When viewed as a single entity, the EU is the world’s second largest economy, so it’s unlikely that many midsized to large companies are going to choose not to do business there. So how should your business take on the challenge of GDPR? First, you need to know exactly what data you have, the potential risks to your data, your vulnerabilities, and where you could be held liable. It’s also important to understand the term personal data, which lies at the heart of the GDPR. According to the European Commission, “Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Once you’ve established the extent of the risk of exposure for personal data processed by your business, the next task is probably the most difficult: to find where all your data lives and then to classify that information. This is where technology is essential, particularly regarding the right to be forgotten, a key aspect of GDPR. When all of this information is in place, you’re ready to focus on how to maintain data protection to remain compliant. Ongoing data management plays a key role in maintaining control and visibility of your data, where it’s stored, and who has access to it.
Using an interconnected Data Fabric approach, your data can be controlled, managed, and moved, regardless of where it’s stored – on premises or in the cloud. This approach gives you complete control over your data, and it also prevents restrictions associated with being locked into a particular cloud provider, technology, or strategy, if your business or compliance needs change over time.
Another key tenet of the GDPR is the right to data portability, which allows EU citizens to obtain and reuse their personal data for their own purposes across different services – almost like having your own portable IP, which you control. Again, this is something that a Data Fabric approach can help with.
Data security is also important. People often confuse security with privacy. They are not identical – although they are of course interlinked. In essence, security is the fortress that you put around the data once you have defined your privacy policies. Things like encryption, firewalls, and antivirus and cybersecurity software are useful tools in helping to prevent data breaches and to maintain the ongoing security and protection of your data.
Another aspect of GDPR is that companies can no longer hold data on individual EU citizens for longer than necessary, which means that data needs to be deleted. To facilitate timely deletion, look for data management software that includes policies that can be set up to automatically delete personal data from all locations, which increasingly includes data stored in the cloud. It’s vitally important for businesses to be able to present clear documentary evidence to the regulator to prove that all data pertaining to the EU citizen in question has been deleted.
GDPR is only a year away, and therefore the sensible approach is for businesses to work toward it rather than fighting it. Start with understanding the regulation from a legal compliance point of view, to determine your level of liability. Once this is clear, then look to how technology can help, both in finding what data you have and in managing that data and maintaining compliance over the years to come.
1 Binding Corporate Rules (BCRs) were developed by the European Union Article 29 Working Party to allow multinational corporations, international organizations, and groups of companies to make intra-organizational transfers of personal data across borders in compliance with EU Data Protection Law.