Preparing for GDPR: How to best meet the new compliance requirements
On May 25, 2018, the EU’s new General Data Protection Rules take effect forcing companies worldwide to comply with a fundamental change to the way businesses manage and distribute data.
The new regulations are not a 'nice to take notice of' initiative; but rather a ‘must comply with' piece of legislation. The challenge is that because it is a significant shift in the way that data-centric businesses operate (and what business today doesn't rely on data for all it does?), the challenge to comply is formidable. As a result, many businesses appear stuck in 'analysis paralysis', incapable of implementing strategies to meet the GDPR challenge.
How can you break through that paralysis? How can you get started on the path to compliance? In short, where do you start?
First, let’s remind ourselves what is behind the GDPR.
At the most foundational level, it is about stopping the misuse of personal data by organizations who may be tempted to use that data to engage in intrusive, unwanted marketing activities. We have all suffered such targeting and know how annoying it is. So, one of the key tenets of GDPR will be that it requires organizations to prove that any data they store is necessary to the running of the business, rather than being used for marketing activities. Within every business, there are obviously many different and disparate data streams making it tough to create an easily auditable view of the data and, in turn, prove why it is essential to the running of the business.
For example, let’s imagine it is found that a retailer, at the point of purchase, is scanning the color of people's' eyes as they pay. The company will now have to explain why it is doing that. Perhaps, it is an optician that has a legitimate reason for capturing this data, as it helps provide better aftercare to customers. But even if the reasons are entirely honorable, a company still needs to be able to explain the data processes downstream from the till to ensure that, if checked, the process does indeed comply with GDPR.
This example illustrates that, however data is collected, after May 25 of next year, it will have to be both identifiable and auditable as well as accessible upon request.
Now, the only way to effectively ensure this is the case, is to create a kind of map of all the data stored by a company, identify where a particular piece of data sits, tag it and, in order to satisfy ‘access upon request’ requirements, it needs to either be stored somewhere with extract capabilities or the ability to build those extract capabilities quickly. In addition, the purpose of that data must be able to be explained. It must also be shown that running business requires that information and, most critically, that people have opted into releasing their data.
And that, my friends, is a very time-consuming task.
Moving forward, solutions will have to focus on the importance of ensuring that data is both identifiable and auditable and has two core products to help.
On a proactive basis, data infrastructure automation software, can go off and discover data areas and tag areas of concern. It can be used to map out all data systems within the organizations, providing a really effective means of auditing and cataloguing data.
On a reactive basis, if ever a company is asked to prove anything about a particular piece of data, or to pull multiple trails together quickly for an export request, data infrastructure automation software, will need to supply a full lineage of that data trail. With the ability to define an extract that pulls together all data related to a particular person from all areas across the business in less than 30 days, there is no need for the user to build these extractors in advance, and they can be reused the next time a request is made.
When capabilities like these are combined, data infrastructure automation software can retrospectively go out and catalog all of a company’s data, and easily enable complex data extraction. Complying with GDPR represents significant challenges to all businesses. But the first, and most important step is to quickly get to a point where you can both identify and audit your data. From here, the roadmap to GDPR compliance will suddenly look a lot clearer.