GDPR - one year on
May 23, 2019
GDPR was the four-letter acronym you couldn’t get away from last year. And while the regulatory deadline of 25 May 2018 has been and passed, the impact of GDPR continues to be a key topic of conversation of many CIOs; drives for compliance and the fear of fines and reputational damage remain front of mind.
Despite the GDPR now being in full force, many are still on the journey to compliance. Getting to a place where you’re confident there’s no data sprawl, everyone’s singing from the same data ‘hymn sheet’ and there’s one single source of truth has been — and still is — a significant challenge for many enterprises.
While still a business challenge, GDPR should be viewed as just another market condition, and shouldn’t be seen as a barrier to creating a data-driven culture across an organisation. Rather, it should be positioned as a regulation driving data empowerment, so long as there is tech in place to enable compliant practices. Fostering this environment isn’t without its challenges, though, particularly for enterprises balancing the complex data architectures — such as hybrid and multi-cloud environments.
Indeed, in the first nine months since the GDPR was implemented, we’ve already seen over €75m worth of fines issued, and over 144,000 complaints from individuals and 89,000 breach notifications in the European Economic Area, as of May 2019.
Given the number of incidents and fines reported recently, one might consider this number fairly low, compared to some of the media rhetoric in the build-up to May 25, 2018. This may be because many organisations reported significant data breaches just prior to the GDPR deadline — meaning they were only subjected to the maximum fines in place before the legislation came into play (a maximum fine of £500,000 from the Information Commissioner’s Office in the UK, for example). It’s likely also influenced by regulators finding easy issues as a means to reinforce the importance of data protection compliance. We’re therefore anticipating the second year of GDPR ‘in action’ to see an uptick in investigations, new guidance and fines measures taken against organisations found not to be compliant.
Maintaining GDPR compliance
For that reason, it has never been more important for organisations to review their data handling and security processes regularly, ensuring policies and processes put in place prior to 25th May 2018 are still being carried out properly.
With access to data storage becoming so inexpensive, easy and accessible in recent years, the instinct has been for businesses to hoard any and all data they can get their hands on. In many cases, this has generated results in the form of new insights that never would have been uncovered otherwise.
However, this has also resulted in businesses housing huge volumes of data, some of which isn’t being used at all, and the rest of which is often duplicated across many locations. This ‘data sprawl’ makes it hard for enterprises to even understand what exactly they’re storing, let alone where it is, how it’s being accessed or how to respond to data subject access or deletion requests. This sprawl can potentially increase risk to the business and to individuals.
Organisations seeking to achieve GDPR compliance may have tackled this issue prior to the deadline, but they’ll need to ensure the right strategies, processes and technologies are in place to maintain this position moving forwards.
Three guiding principles for GDPR compliance
The likes of GDPR, and other privacy regulations on the horizon, aren’t going anywhere — so here are three guiding principles you can adopt as part of your overall data strategy to help drive long-term compliance:
Data governance involves the people, processes, and technologies required to create a consistent and proper handling of an organisation’s data across the business. Companies must maintain current documentation of their data supply chain from time of collection to erasure, such as data flow maps and data inventories.
Privacy by design and data retention
Today, the average enterprise relies on over a thousand cloud software applications — each of which require access to real-time data — from sales CRM to ERP and marketing tech. Yet for many, they lack a platform that can take this data, analyse it in the context of where it resides and deliver impactful, insightful information in one, centralised location — avoiding such data sprawl.
Centralising an organization’s data is the most efficient way of documenting where data lives and is used, while providing the capability to substantially increase data analysis effectiveness and speed.
Monitoring and auditing
Monitoring data and data access is critical to GDPR compliance. This ties with who has access to personal data and why the data has been collected and will be used by your organisation. Once you’ve set controls about who — both internal and third party vendors — can have data access and why, you can then monitor to prevent unauthorised access by individuals, and make sure they are not improperly accessing or misusing personal data.
Following these practices will support your ability to deliver regular business insights when maintaining compliance with data protection legislation. While it may sound ambitious, centralised data, a single source of truth and regulatory compliance are all simultaneously achievable with the right platform in place.
Register for our Webinar on Data in the Age of GDPR for more insight on GDPR and what to expect with data privacy and regulation in 2019.