Research Director, European Software Group
The EU’s far-reaching GDPR legislation will start to apply from May 25, 2018 – less than a year away. IDC surveys reveal that a surprising number of companies do not expect to be ready on the day, let alone in advance. As of March this year, fully 57% had not yet begun to prepare.
Given the swingeing penalties that are proposed for contravening the regulation, this is not a good thing.
But IDC is also concerned that companies are not looking at compliance in the right way. For many companies – both solutions vendors and solutions buyers – GDPR compliance is seen a security issue: avoiding unauthorized access to, or loss of data. It’s a job for the security professionals. And so, the answer revolves around having the right password policies, up to date versions of all your software to prevent hacks, and so forth. But that’s wrong. Or, rather, it’s only part of the story.
IDC has a three-layer model for GDPR technology and associated processes. And at the top layer, there’s governance.
For, at heart, GDPR compliance is about protecting citizens’ data privacy rights. This raises key data governance issues, including: Who can access personal data that we hold? How is the data being used? Where is it being stored? Are we tracking people’s permission to use their data? Can we inform them of the processing we’re doing on their data? Indeed, which data – raw and derived – that we hold or process comes under the legislation? Sensitive data might relate to customers, employees, or your partners’ employees. Bringing together linked pieces of data that alone are not generally considered ‘personal’ data, for example location data or IP addresses, can help generate data items that identify an individual and then are considered personal.
GDPR then is an issue then for data and analytics professionals, as much as security staff: the Chief Data Officer organization, or its equivalent inside or outside the IT department – in alliance with compliance, risk and IT security staff, and possibly with a Data Protection Officer in place. Even companies who are aware of these different aspects are often approaching these issues in silos rather than coordinating efforts.
CISOs and CDOs need to look at processes, people and tools across these two domains of security and governance. The latter have often been overlooked in GDPR discussions, but they are crucial.
- Tools to track all consents granted – or revoked – to use personal data
- Tools to identify and document which data is being held could that be considered as personal data, and track where it is stored – across your data siloes and functional boundaries
- Tools to track the lineage of data assets – where did they come from? Are they derived from other data internally or externally? What calculations/transformations are we performing – and do we have permission to do so? And where is the data going to go next?
- Tools to anonymize or ‘pseudonymize’ data for consumption by individuals who are should not see personal data, or before passing it outside the organization – ‘privacy by design‘ is a key plank of the regulation.
- Archival tools and policies – to make sure data is deleted when it should be/if it should be – and retained if not. The right to be forgotten is no longer just an issue for search engines.
In the age of Big Data, a widespread view has arisen that, as storage cost is so low, all data should be retained ‘just in case’ it may be needed – even if it has no real value today. But the more data you have, the more likely it is that it can be combined in ways that need to be tracked for compliance. So GDPR can fundamentally change the data cost equation by factoring in a risk/compliance element – creating a paradox at the heart of Big Data: does more data bring more value or just more risk?
Of course this covers unstructured data (textual information, pictures, audio and video) as well as more easily managed structured data – social media data can be as important to cover as data in your HR and finance systems, for instance.
The good news is that GDPR compliance will drive you to do things you always wanted to anyway. For instance, getting all your customer data in order will help to create strong foundations for building a true 360 view of your customers. Setting up a self-service portal for data subjects can, in effect, outsource the effort of keeping some data current. Exhibiting GPDR compliance early will help to build valuable trust amongst your customers.
So, CDOs, CISOs and CIOs: do you have the data governance tools, processes and people to tackle GDPR? If not, then you have just months to get all three in place.
For more information and advice on GDPR compliance implications – processes and tools – you can contact IDC’s Data Privacy and Security Practice via www.idc.com