The GDPR (General Data Protection Regulation) – the European Union (EU) regulation that enables citizens to take back control of their own data and unifies privacy regulations across the EU – is creating a lot of news lately. It comes into law on May 25, 2018, just six months from now, and will also replace the Data Protection directive of 1995. This latter point will come about by simplifying the regulatory environment for international business by unifying the regulation within the EU. With Brexit still in flux, naturally, there are questions.
One of the key requirements of GDPR is that businesses will need to track and trace sensitive data and determine how it is processed across their information supply chain. As a result, the way businesses approach data management will need to be handled carefully to comply with “privacy by design” principles. For businesses, this means that each new digital service leveraging personal data must now take data protection into account as well.
What is the cost of ignoring the GDPR? Well, breaches of some GDPR provisions could lead to data watchdogs levying fines of up to €20 million or 4 percent of global annual turnover for the preceding financial year, whichever is greater. And as we get closer to the GDPR deadline, many IT departments are looking for guidance on how to handle these impending data regulations.
The GDPR holds many challenges for IT departments of companies that do business with EU citizens around the right to examine, rights to erase, and data portability. Here are a few of the challenges:
Businesses will need to create and maintain a holistic data inventory to know what Personally Identifiable Information (PII) they have stored and processed throughout their company. Records of processing activities – including purposes of the processing, categories involved and predicted time limits – must be maintained and made available to the supervisory authority on request.
Such a requirement can pose a challenge for a typical company where customer data is stored in multiple, often siloed systems, which means different formats and levels of quality, all using different definitions and data conventions.
Next, there is a need for businesses not just to protect their data but also to open it, using data integration and data services technologies. That’s particularly important because, under the terms of GDPR, individuals have the right to ask organizations to provide them with all the relevant data these organizations hold on them.
A person can also ask for: the “right to be forgotten,” corrections made if data is inaccurate and relevant data delivered to them in a machine-readable format.
Finally, a person has a right to ask for their data to be portable, so they can transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by a company. Both data that has been “provided” by the person, and data that has been “observed” – such as about their behavior – is within scope.
A plan of action
What should a company do? Here are a few steps a company can take to help prepare for GDPR:
Step 1: Define a policy
One of the most important places to start this journey is the definition of the policy for your business. GDPR has a set of policy attributes that need defining systematically for both business definition (i.e., right of consent and what this means) as well as a technical definition (name, address, etc.). This crucial step – where the policy and rules that are used to enforce the policy meet – needs to be documented in a manner that enables it to be enforceable. Defining a policy is also the step in which specified data attributes that support the policy are defined.
Step 2: Automate data discovery
Once the policy has been defined, a digital solution needs to provide the automated discovery of relevant customer data across any number of databases, applications, big data and cloud data stores, etc. It also needs to employ flexible, high-performance, and scalable scanning capabilities to uncover where the potential relevant customer resides.
Step 3: Understand data proliferation
As mentioned previously, data proliferation is a major challenge around relevant customer data as it’s often extracted from source systems and copied to other systems for subsequent processing. These other systems often sit outside any formal governance processes, which means a decreased or complete lack of visibility into this data.
Step 4: Assign a risk score
The GDPR now requires that a risk score be generated based on the understanding and the movement of relevant customer data. A risk score should be generated from a number of different attributes of data security including:
- Data protection availability
- Data existence
- Volume of data
- Data proliferation
- Data accessibility
A company can calculate a risk score by taking the above attributes into consideration, along with other factors. The score lets companies prioritize the order in which relevant customer data stores need to be addressed. A high score would signify a data source that potentially needs urgent attention while a low score means it can wait.
Step 5: Take action
Once a company has defined the policy and identifies where the data has been stored, it needs to take action appropriate to the risk the data flows represent. Perhaps the most difficult part is how to best integrate the data from the multiple, disparate data sources; apply the necessary protections; and keep them in sync. SnapLogic’s Enterprise Integration Cloud is designed to ease the work of integrating, securing, and syncing data from cloud applications, databases, social media, IoT, data stores, and other endpoints so a company can more easily comply with GDPR.
Because the GDPR deadline is approaching, many companies are still determining how it affects them and then developing plans to become compliant. Hopefully, my summary helps more people become aware of how this business-changing regulation will impact their company. My primer is not meant to be comprehensive nor prescriptive, so we will continue to share more information as the deadline approaches. To learn more about the GDPR, Wikipedia is a good place to start.