While there is common awareness that the General Data Protection Regulation (GDPR) enacted by the European Union will come into effect in May 2018, and that it will impact any entity globally that engages with the Personally Identifiable Information (PII) of an EU citizen, its challenges and benefits are not necessarily fully understood. The regulation has implications both in information management and security in terms of how organizations are managing, using and sharing customer data.

There has already been much discussion about the financial ramifications of GDPR non-compliance (e.g., fines up to the higher of 20 million Euros or 4 percent of the previous year’s worldwide turnover for a corporate group), but there has been little focus on the potential opportunities for organizations that get ahead of compliance. These benefits can include greater credibility with customers, increased operational efficiency, accelerated product development and protected brand reputation.

Records management is one area in particular where the benefits of moving quickly on GDPR compliance has already led to greater efficiencies and reduced costs. We have seen several examples of this from leading European corporations:

• The need to identify, move or delete PII at speed has caused a UK Insurer to embark on a wholesale draining of its data lake – removing redundant, obsolete, trivial and duplicated data – which has resulted in significant ROI from reduced storage costs.

• The requirement that PII be masked or encrypted to safeguard the interest of both customers and employees is seen by a global energy company as an accelerator of Mergers and Acquisitions activity, since this task is always an inhibitor for deal execution.

• Compulsory GDPR anonymization of data has been incorporated by a multi-national oil company into its mass migration of data from on premise to the cloud, heightening the credibility of cloud-managed information.

• A European media group is regarding the security standards of GDPR as a means of accelerating the ability to mine sensitive PII for the creation of new products and services leading to additional revenue streams.

The ability to identify both means of compliance and added value from data management requires an efficient sequence of actions.

First, it is critical to create awareness both at the senior executive level, as well as amongst the variety of internal professionals who need to be engaged, including Legal, Compliance, Risk, IT, Audit and Security.

Second, it is prudent to obtain a legal opinion either from internal or external counsel on the deliverables required by the GDPR. The regulations have a number of detailed stipulations, so it is important to engage with experts that truly understand the criteria for compliance.

Third, an organization can identify the “functionalities” required. For example, the “right to be forgotten” implies the need to have access to all data, in any format and language, wherever it exists in the company’s IT architecture. Then companies need to be able to find the PII, classify it, and apply rules to it.

A risk assessment is essential to identify the exposure detailed from non-compliance, as well as an assessment of the advantages. In this respect, corporate leaders should be evaluating the capability of existing technology and processes, as well as upgrades that may be required.

From this gap analysis, one can then prioritize the steps needed over time for implementation of additional IT capabilities. Organizations should begin assessing now what the potential upside and business-assisting opportunities are, as well as the more obvious driver of maintaining compliance to avoid potential fines.

(About the author: David Kemp is a specialist business consultant, HPE Information Management & Governance, at Hewlett Packard Enterprise)

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access