Some businesses are keeping their heads in the sand while others are fearful of what’s ahead, but the forthcoming General Data Protection Regulation (GDPR) could, in reality, be a force for good.
On one hand, the new obligations threaten punitive fines for non-compliance, poor accountability and data breaches. The new rules apply to all organizations that deal with the personally identifiable information (PII) of EU residents. This covers both employees and consumers of the services they provide. These fines are also intended to be taken seriously, rising to 4% of annual worldwide turnover or €20m – whichever is higher. Consequently, weighing up the cost of prosecution versus the cost of compliance is no longer an option.
But on the other hand, the GDPR legislation gives organizations the impetus to raise their game. It’s the perfect time for companies to strengthen their data management, and the privacy and protection they provide to this most critical of business assets. Moreover, better information governance, compliance and policy can help enterprises develop a more efficient digital transformation strategy. This will ensure a streamlined and focused journey, with less of the information risk that pervades today’s clogged IT systems.
The average business has vast amounts of legacy digital data, growing on average by 39% per year. It is contributing to something that Veritas terms a “Databerg”. This comprises over 30% redundant, obsolete and trivial (ROT) data and over 50% dark data, whose content is simply unknown to the organization.
This inefficient use of data stores has so many business disadvantages, with unnecessary storage and management costs just the start. If you do not know what data you have, where it resides or who has access to it, how can you protect it or be compliant?
The GDPR mandates better responsibility and transparency of the personal data organizations hold. Not knowing what is in your data estate could not only lead to a potential fine but also expose you to reputational damage from data leaks or breaches. However, the GDPR is driving businesses to be better custodians of the personal data they retain.
There are also operational implications. Having poor visibility and insight of your key information assets slows down the day-to-day ability to respond to search requests. This especially applies to requests from data subjects invoking their enhanced rights to correction, porting or even erasure of their own PII under the GDPR’s ‘right to be forgotten’.
The solution to these problems is often seen as a long and tortuous route, especially when you consider the billions of objects and files an average organization has amassed over the years. It does not have to be this way, though. The GDPR is leading businesses to focus on ‘data’. This focus is the key to solving the visibility and insight problems that are the starting point to the journey of compliance.
Being able to create real-time data maps of the operating environment can help pinpoint where sensitive data resides: especially copies and dumps of structured databases. Understanding who is accessing key department information can highlight the risk of insider threat and flag a potential data loss. Plus, being able to search from multiple sources to locate data subject information, and respond to subject access requests, turns your information into an asset, not a liability.
Ultimately, the GDPR encourages organizations to improve their business culture by incorporating better transparency, accountability and responsibility in how personal information is collected, used and eventually expired. This requires a holistic view to information management involving people, processes and technology.
There will always be internal and external threats to mitigate, but if you use the GDPR as a springboard to improve your information management and data handling culture, your organization will be on track to become agile, compliant and in control.