Companies may be fooling themselves that they are GDPR compliant

Register now

Three months have passed since the European Union’s General Data Protection Regulation went into effect, and many enterprises that scrambled to put a minimally GDPR-compliant set of privacy policies in place are now lulling themselves into complacency.

A closer look at the steps taken by many of these companies reveals a GDPR strategy that it is only skin deep and fails to identify, monitor or delete all of the Personally Identifiable Information (PII) data they have stored. Such a shallow approach presents significant risks, as these businesses may be oblivious to much of the PII data that they hold and would have difficulty finding and deleting it, if requested to do so. They would also be unable to provide the regulatory authorities with GDPR-mandated information about data implicated in a breach within 72 hours of its discover—another GDPR requirement.

To address these risks, companies need a holistic strategy to manage their data—one that automates the process of profiling, indexing, discovering, monitoring, moving and deleting all of their data as necessary, even if it’s unstructured or perceived to be low-risk. This will significantly reduce their GDPR and other regulatory compliance risks, while simultaneously allowing them to make greater use of the data in ways that create business value.

Unstructured data
Unstructured data is a good example of how an inadequate GDPR compliance strategy exposes an enterprise to noncompliance risk. Per Gartner, upwards of 80 percent of stored enterprise data stored today is unstructured, and companies often make the mistake of assuming that, because it is unstructured, it is low-risk. In fact, this data often includes highly sensitive health and financial information, religious and social affiliations, gender orientation, personal photos and videos—all of which is subject to GDPR.

By profiling and indexing this data, along with its structured data, an enterprise can ensure that all of its PII data is identified and securely stored, allowing it to manage its
GDPR risk exposure.

But identifying this data is just the start. Companies also need data management capabilities that allow them to quickly, easily and automatically monitor, move and delete their data. In terms of GDPR compliance, this allows them to:

  • Inform the relevant regulator of any unauthorized data access and the extent of the breach within the GDPR required 72-hour notification period;
  • Meet GDPR requirements regarding where PII data must be geographically located;
  • And easily delete unused or unnecessary PII data in order to comply with “right to be forgotten” requests and reduce their overall GDPR exposure.

Holistic data management goes beyond GDPR compliance and delivers other important business benefits. More efficient data culling, for example, can significantly reduce on-premise and cloud storage requirements. It can also limit the amount of time employees waste managing data of little or no consequence. On the flip side, identifying and indexing an organization’s most valuable data is a prerequisite for data analytics and other strategic IT initiatives. In an increasingly data-driven environment, using data more efficiently is often the key to gaining competitive advantage.

Though most enterprises succeeded at putting themselves in a defensible position by the GDPR start date, it would be a mistake for them to limit their efforts to these superficial strategies moving forward. Holistic data management capabilities, including the ability to manage unstructured data and comprehensively index data throughout the enterprise will not only ensure GDPR compliance, it will also help companies thrive in the new digital economy.

For reprint and licensing requests for this article, click here.