Four strategies to avoid GDPR noncompliance pitfalls
Much has been written about the General Data Protection Regulation, its fast-approaching May 2018 deadline, and the significant fees organizations will need to pay for non-compliance. The GDPR is a broad regulation that addresses how organizations capture, control, and process personal information. It’s a way to protect the rights of citizens whose data powers our global economy.
Until recently, many organizations thought the GDPR applied only to European Union-based businesses, but the GDPR applies to any company inside or outside the European Union (EU) that offers goods and services to EU residents. Any organization that conducts business in the EU, and collects personal data, must comply with this regulation.
A recent report, however, found that an overwhelming number of US organizations are unprepared for the upcoming deadline. As organizations rush to ensure compliance, here are four strategies to help avoid GDPR pitfalls.
Make an Inventory of Business Processes
Understanding how your data moves across and beyond your organization is a key aspect of the GDPR. In preparing for compliance, you may require all business units to identify business activities across the organization, and the data processes that support those activities. Questionnaires, business process discovery sessions, and process mapping are all crucial in creating a comprehensive inventory of data processes. This also allows an organization to evaluate risks so they can be addressed appropriately.
Avoid a “bottom-up” approach that begins with data discovery, data scanning, and data ingestion. These techniques can help you find data, but they don’t capture the kind of information regulators are looking for, which is how that data is being processed and managed.
Encryption Can’t Be the Only Solution
Encryption can be a valuable tool, but it’s not a complete solution when it comes to protecting personal data. Encryption is fundamentally a technical solution that does not address how to control access in a way that protects personal data while allowing data users access to the information needed to do their jobs.
Account for Shadow Systems
More than 80% of IT professionals say that their organization has at least one shadow system. These systems typically have fewer control processes around who can access sensitive personal data, leaving an organization exposed. Take the time now to account for shadow systems and meet with users from across the business to understand what tools they use.
Invest in Employees to Bridge the GDPR Talent Chasm
Few resumes today come stacked with GDPR expertise. The most productive approach is investing in current employees. These individuals know the business and the data. Create a program to help individuals understand the GDPR and how it will affect their roles. Train business users to recognize GDPR-related data flows. Taking the time to help business users understand the “privacy by design” philosophy and equip them with the knowledge they need to identify appropriate data flows is worth the effort.
GDPR has raised the stakes around data protection and data privacy, and navigating the requirements of the regulation is no small feat. A data governance platform may ease the burden of compliance by providing a framework for the policies, controls, and workflows needed to document data and data lineage. A platform can also help enforce appropriate policies surrounding data, and define the roles and responsibilities of everyone that touches that data - -all critical requirements for regulators.