Late-comer to GDPR compliance? Look to your data first
If you haven’t started down the road to compliance with the EU’s General Data Protection Regulation, let’s face it, you’re probably not going to hit the May 25, 2018 deadline.
If this describes your situation, don’t worry, you’re not alone. According to Forrester, 80 percent of companies affected by the GDPR will not be compliant when the regulations take effect.
Even if you’re going to be late to the party, doing certain things to become compliant can help your business beyond avoiding fines. Let’s look at what exactly the GDPR is, and what you can do on the data management and processing side to be prepared.
Even though the GDPR is a European regulation, it will affect companies across the globe. Any organization that deals with the personal data of any European “natural persons,” has to be compliant with the GDPR -- at least when it comes to those European citizens.
It divides organizations into two main groups, data processors and data controllers. To quote the GDPR website, data processors “process personal data on behalf of the controller.” These are the data management service providers and other companies the help you store and work with your customer data. Data controllers determine “the purposes, conditions and means of the processing of personal data.” In other words, basically every company doing business in any industry.
These definitions speak to how the regulation views data ownership: companies doing business with personal data are considered the controllers of that data. The companies that provide storage and other services simply process that data. Now, there are some important things that data processors have to ensure, but there are two big things data controllers can do to make sure their compliance efforts are successful.
1.Know your data
This sounds basic, but it’s amazing how many companies take a “set it and forget it” attitude when it comes to their data. They upload it to the cloud, and then just assume it’s secure and optimized.
It’s important to remember that data management doesn’t stop when you upload to the cloud. You have to keep track of the types of data you have, and where it’s stored. This has obvious security implications; private, sensitive data needs security measures that other data may not.
It also has business value. Archival data doesn’t need to be stored at the edge, or on other systems that let you access it quickly. Likewise, some application data may need to be accessed instantly and securely. Taking stock of your data and where it’s stored can lead to some real efficiency gains and cost savings. It’ll help you comply with the GDPR, but it’s an exercise you should complete frequently as a part of doing business.
2. Control your data
Now that you know your data, look a little bit deeper and make sure you control it. The first part of this equation is pretty simple, maintaining the encryption keys in your environment. This, of course, gives you access control and avoids third-party exposure (which is a big no-no for the GDPR).
Next up, scrutinize the data service providers you work with to make sure they provide three critical features:
- The freedom to import and export data at any time. We all understand the importance of being able to upload data at any time, but don’t forget that importance of being able to export that data to different locations seamlessly, and whenever you want.
- The right to erase data at any time. Intimately related to importing and exporting is deleting data. There should be no restrictions on your ability to completely remove data from your service providers’ servers whenever you want or need to.
- Guaranteed data protection. Data protection services that should be included as part of your agreement with any provider include things like encryption of all data at rest and in transit, and the assurance that the provider has no access to that data (which is ensured by the encryption keys). These protections should be automatic, and there should be no way to disable them.
Getting a jump on knowing and controlling your data will get you on the road to GDPR compliance. More than that, though, they’ll help your company utilize data management services more effectively. This helps with compliance, sure, but it will also make your company more efficient and secure when it comes to managing your data.