The sirens have been ringing loud and clear about the looming May 2018 GDPR deadline. And while companies have a broad understanding of what the regulation entails — including fines of up to 4 percent of worldwide turnover — it's still unclear how, where and to what extent the new regulation will impact businesses.
In the first of our two-part look at how information management professionals saw the General Data Protection Regulations (GDPR) impacting business, we asked where the pain points would be.
Their responses uncovered a wide range of issues, including security, data sovereignty, privacy and the use of personal data by enterprises on both sides of the Atlantic.
However, one theme emerged which all four more or less agreed on: enterprises already struggle to manage data flows. The increased regulation that comes with the GDPR will make it even tougher to move and use data.
We asked three other professionals the same question to see if they, too, identified data workflows and management as the core problem facing enterprises. With data now one of the most valuable resources in an enterprise, any tougher regulation could have a significant impact on business.
What are the highest impact aspects of the GDPR?
Dana Louise Simberkoff, Chief Risk, Privacy and Information Security Officer at AvePoint
Dana Louise Simberkoff is the Chief Risk, Privacy and Information Security Officer at AvePoint. She is responsible for AvePoint’s privacy, data protection and security programs. She manages a global team of subject matter experts that provide executive level consulting, research and analytical support on current and upcoming industry trends, technology, standards, best practices, concepts, and solutions for risk management and compliance. Dana is responsible for maintaining relationships with executive management and multiple constituencies both internal and external to the corporation, providing guidance on product direction, technology enhancements, customer challenges and market opportunities. Tweet to Dana Louise Simberkoff
Successfully complying with the GDPR requirements begins with understanding the data you hold. Once you understand the data, it's important to limit access so that only authorized employees can view it.
While these first steps may sound simplistic, they are a lot harder to put into practice than it may seem. The difficulty in uncovering an organization's data comes from years of misled employees believing that "data hoarding" is an acceptable practice.
This means that before correct data processes can be encouraged, there must be education on why the previous methods of data hoarding are damaging and dangerous to the organization and its employees.
Only then can the idea of understanding and minimizing data be implemented. In my recent column on file share analysis, I wrote extensively about the problem with “dark data,” and both the risk and opportunity this may create for a company. With the upcoming GDPR regulation, this is a great time for IT teams to educate employees on best practices and build a data cleansing program.
This program should focus on analyzing, pruning and optimizing your data. While it may feel like an arduous task, it will pay off in greater productivity, improved IT systems performance, reduced storage costs and ultimately, reduced privacy and security risk.
Saimon Michelson is Chief Architect, North America at CTERA Networks
Simon has been working at CTERA since 2011 and has filled a wide range of roles including software developer, senior product manager and sales engineer. CTERA Networks, based in Israel and New York City, NY, and was founded in 2008. It provides cloud storage solutions that enable service providers and enterprises to launch managed. Tweet to Saimon Michelson
In May 2018, companies doing business in the EU will need to meet strict General Data Protection Requirements (GDPR) for data storage. Every EU company, or a company that sells goods in EU, will need to transparently map the types of personally identifiable information stored and where it is located.
They also will have to ensure they can address several key requirements for data storage, including providing customers the ability to access and be notified about any shared information, to restrict data processing and to have personal information corrected as necessary. All of this will put pressure on companies and vendors to add features that help cope with these requirements.
What we’re seeing is more and more global companies fully engaged in addressing these requirements. They are asking questions about:
- Advanced encryption and user authentication techniques (for personal data processing)
- Backup and disaster recovery (to ensure the availability and resiliency of systems, processes and data)
- Multi-tenancy (the ability to service customers by region and ensure data residency and control)
While some organizations largely have been moving slowly toward GDPR compliance, the companies we talk to are taking a more aggressive approach to meeting the May 2018 deadline. They are asking the right questions and working with technology vendors to ensure they can quantifiably protect consumer data while also avoiding the costly penalties of non-compliance. This trend likely will be reflected across a wider range of organizations as we move into the latter part of 2017 and they become more familiar with secure data services solutions that ease the transition to GDPR compliance.
Scott Parker, Senior Product Manager at Sinequa
Scott has a deep history in the enterprise software business and has served in a variety of key roles including Software Development Manager, Professional Services Director, Pre-sales Consultant and Product Expert. He joined Sinequa at the beginning of this year where he works to make sure stakeholders across the globe understand the real and potential benefits of applying cognitive search and analytics technology to their business. Tweet to Scott Parker
The penalties for non-compliance allowed by the GDPR are steep, so companies are finding that it makes both legal and financial sense to invest heavily in compliance.
These investments will fund a cascade of activities, starting in most cases with the appointment of Data Protection Officers (DPOs) that will create data protection plans to drive risk assessments, which will result in the implementation of measures for risk mitigation.
Once these changes are in place, companies will have to test their incident response plans to make sure they can report breaches within the 72 hours required by GDPR. How well the response teams perform and minimize damage will directly affect the company’s risk of fines for a breach. Processes for ongoing assessment must also be set up in order to remain in compliance, which will require monitoring and continuous improvement.
Underlying these compliance transformations is the core question of how companies will determine whether unprotected customer data exists or not. Enter cognitive search and analytics (CS&A), a technology that can enable transparency into a company’s digital landscape in order to answer this question on an ongoing basis.
A CS&A platform can analyze enterprise information and take a rules-based and/or a machine learning-based approach to identifying what constitutes customer data and where it exists across disparate applications and content repositories. Such automated analysis effectively exposes compliance violations to prevent potentially expensive non-compliance penalties.