Getting started with GDPR compliance efforts
With a rapidly changing regulatory environment driven by privacy concerns from major data breaches and a more scrutinizing focus on data protection, the EU’s General Data Privacy Regulation has become front and center for the enterprise. While most have focused on the regulation as it’s stated, one question remains the focus: what exactly, in reality, are the implications of GDPR? And how will they be enforced?
Despite the GDPR being less than a year away, there’s still a lot of uncertainty over how it will take effect, and how far organizations will have to go to ensure compliance. The requirements contain a degree of ambiguity that can be difficult to interpret, which means there is a whole spectrum of how companies could potentially react to it. How far do organizations truly have to go to avoid sanctions? Will a small mistake actually result in a 20 million EUR fine?
Of the companies I’ve spoken with, some believe that their present data protection initiatives will pave the way for GDPR compliance, while others are scrambling to put more formidable policies and solutions in place. And yet still more are waiting to see how the rest of the world reacts before making any major moves.
Amidst a number of other requirements, at the regulation’s core is the right to be forgotten, which manifests itself in the form of subject requests. A customer or employee has the right to request their personal data be deleted—or in other cases produced, amended, or relocated.
To what degree organizations must actually fulfill such requests is yet to be seen, and will likely depend on the function of that data and the degree of disruption its deletion would cause. That said, if we’ve learned anything from similar regulations and the e-Discovery world in the past, reasonable justification for not complying may pass muster if there is good cause but the inability to respond is likely to be met with severe repercussions.
“We can’t provide the data because…” may be just fine but “We can’t provide the data [PERIOD]” will result in, well, a substantial fine or sanction.
What really hits home for many data privacy stakeholders are not the regulation’s subtle nuances, but rather the price tag it carries of up to 20 million EUR or 4 percent annual turnover. While this is certainly enough to drive market interest for a “GDPR solution,” the reality is there is no magic bullet; the regulation is purposefully written to preclude a check-the-box approach. Instead, organizations will benefit from a multifaceted approach that addresses and enables the people, processes, and technologies that are imperative to data privacy.
So, where to begin?
The Final Frontier of Data Management
The organizations that have a strong grasp on the regulation are focusing initial efforts on their highest risk areas. For many companies, this comprises file shares, SharePoint, and other employee-created data. The reasons for this have a lot to do with the historical regulatory and legal emphasis on structured data.
Organizations in regulated spaces typically already have processes in place for managing structured data, because it’s been required for the past couple decades. Treating GDPR as something “brand new” across all data stores is simply a false premise; data protection laws have been in place since 1995.
What has changed is the scope of the responsibility, which isn’t just across structured systems (think HR systems, SAP, etc.) but across everything. That is the game changer, particularly as unstructured data has grown and continues to do so at an unprecedented and alarming rate – and is still largely ungoverned!
So coming back to “Where do we start?”
Some organizations are, however, moving forward with initiatives to tame this wild west of unmanaged data, using a combination of in-place analysis and information governance. Initiatives often begin with:
- Indexing file repositories
- Classification of data based on metadata and content
- Defensible deletion of old and unneeded files
- Access restrictions for sensitive documents
- Application of ongoing remediation policies and retention management
The ability to classify PII, employee data, business records, sensitive legal documents, and other important data lies at the heart of this process. This can only be done if you truly understand what you have, which most organizations do not. However, organizations that are able to shed light on these repositories can minimize exposure to the GDPR in a few different ways.
First, understanding where personal data is stored and indexing it enables an organization to more efficiently search for it and remediate it in the event of a subject access request.
Second, by deleting unnecessary data, organizations can reduce the amount of personal data they’re responsible for.
Finally, keeping this unstructured data continuously managed through ongoing information governance is a critical last step.
Organizations that are able to govern repositories of employee-created documents also limit their exposure to risks such as data breach, which create additional GDPR risk. I compare this scenario to a home invasion: having home security is a great idea (your personal “firewall”), but once a burglar gets in, don’t have all your crown jewels sitting out on the dining table and then wonder why or how you lost your gems.
Similarly, a firewall breach is, unfortunately, a matter of when and not if for the enterprise. Our best protection against that scenario is not just to harden the firewall but to secure our sensitive data so that in the event of a breach, that data isn’t easily accessible or compromised.
Privacy by Design
Ultimately, staying 100 percent compliant with the GDPR to the letter of the law might be near-impossible. Conflicts with business needs, e-Discovery, and other regulations will make the deletion of consumer and employee data upon request a fine line to walk.
Instead, the organizations that remain defensible will likely be the ones that make best efforts to instill privacy by design, or what might be referred to as systemic privacy. The GDPR compliance entails a comprehensive approach to data management and information governance, and for many organizations unstructured repositories are a good place to begin.