The General Data Protection Regulation (GDPR) has the noble ambition of empowering EU citizens to control their personal data in response to new advances in technology and data capabilities. What that means in practice has been far from simple, and in the last 12 months, businesses have been in denial, reluctant acceptance of the legislation and have now been tasking their Legal teams with making sense of how GDPR will affect their specific business.
Jason Tooley, VP Northern Europe Veritas, shares his insight on where businesses are at with GDPR as well as providing a handy To-Do list for CIOs. Jason previously worked in senior leadership at Citrix and IBM, and has been heavily involved in transforming businesses in response to emerging technological innovation.
Where are organisations in terms of GDPR?
GDPR is not that far away. In different sectors there has been a real move forward in terms of maturity in how firms are preparing themselves. Most customers, 12 months ago, were saying ‘we think we need to do something, but we’re not entirely sure what GDPR means for us’. There was also a lack of understanding within IT and CIOs about the ramifications.
In the early part of this year, we saw board members, Compliance and Risk, take interest in GDPR and that put CIOs under pressure to come up with viable solutions. We’ve seen a change in mind-set, driven more from the business side of the board than within IT itself.
This title alludes to CIOs, but which department should be taking ownership of GDPR?
In many organisations it’s not clear who is responsible for data. In many lines of business, executives will look at the CIO, and the CIO will look right back at them – it’s very much cross-functional. The benefit of cross-functionality is that we’ve started to see people across the whole organisation building a culture of compliance and data governance. It’s no longer the CIO or Head of Legal who is dealing with GDPR, but a combination of departments.
Let’s assume that the designated owner of the GDPR function is the CIO. How would you go about compliance?
Firstly, whilst we talk about that cross-functionality, a Data Protection Officer is key to designate and structure the compliance process. From a CIO’s perspective, the strategy that they’ve had for managing data has really been to store; this strategy has been the same for 20-30 years. This strategy of storing information without classification or discovery, is contrary to GDPR as well as contrary to their customers from an Open Banking perspective.
CIOs are now thinking, how do I store it with better visibility – how do I automate the classification of the data? As we move closer to the GDPR deadline, CIOs will also look to emerging technology around that automation and classification, because there’s a recognition that the more holistic management approach is really crucial.
With a number of high profile cyber breaches it’s not only GDPR that is kicking them into action; CIOs investing more in data protection and information recovery capabilities.
We’re also seeing organisations rush to the cloud and cloud services. With multiple information, data and services supplied by any number of global cloud providers, I’m not sure it will make GDPR compliance easier. In fact, I think it adds significant complexity to how firms think of data management from a compliance perspective. The organisation ultimately remains the data controller.
A lot of the global cloud providers are designed and constructed for the masses and aren’t really bespoke in terms of contractual requirements and service level agreements – many organisations are finding that they are responsible for data and it resides on global cloud platforms how can they reconcile their compliance requirements with the contracts and service level agreements. That’s the real dichotomy.
Are organisations guilty of leaving GDPR compliance until the last minute?
I think that’s a fair assessment. There’s a lack of understanding around the complexity of meeting the requirements in a fairly complex and diverse IT world and an equally complex and diverse retail world with customers and their data.
There have also been calls for CEOs to have personal liability for data breaches and it becomes a more topical with each breach. Organisations will need to head into GDPR with the right intent rather than hoping that the regulators be lenient. Whenever you implement these type of regulatory requirements, someone is bound to be fined at some point to set an example. People have recognised now that GDPR is a regulatory requirement but I don’t necessarily think many organizations will be fully compliant by May 25.
What’s interesting is that I’ve begun hearing many organisations seeing GDPR as an opportunity. They’re talking about GDPR compliance in their annual reports for the benefit of their customers and shareholders around their own strategy. That’s big because the only previous visibility customers had vis a vis your data policy was when you were on the front page of the newspaper having just had a data breach.
This now creates a highly visible insight into an organisation’s compliance approach. What enterprises are starting to think about is how GDPR can become a differentiator between them and their competitors – i.e. their adherence and commitment to GDPR will get them business.
That management of information in a holistic way, whilst making organisations compliant, also adds value because you can build information-centric products that will be personalised for customers; richer, cleaner data.
How do you get more value from data if you have tighter rules around using that data?
First and foremost, this has been the challenge for legacy organisations; gaining greater visibility and classifying your data. Once you take a different approach to your data, such as the one GDPR is prompting, you can rethink the process of discovering and classifying information and more effectively sort the wheat from the chaff.
Just understanding the value and context of information is incredibly valuable for analysis whilst providing a more constructive approach as to which data should be stored in the future; you identify which data you need to store which ultimately leads to cleaner, more efficient data.
What is the Veritas To-Do list for CIOs in terms of GDPR compliance? What should CIOs be doing right now?
a) Locate The critical first step in complying with GDPR is gaining a holistic understanding of where all the personal data held by your organisation is located. Building a data map of where this information is being stored, who has access to it, how long it is being retained, and where it is being moved is critical to understanding how your enterprise is processing and managing personal data.
b) Search Residents of the EU can now request visibility into all of the personal data held on them by submitting a Subject Access Request (SAR). They can also request that the data be corrected (if factually incorrect), ported (to a suitable export format) or deleted. Ensuring that your organisation can undertake and service these requests in a timely manner is critical to avoiding GDPR penalties. You should be implementing technology to immediately give you greater visibility into existing data that allows you to discover and classify as well as implementing to manage information from an automated policy based approach.
c) Minimise Data minimisation, one of the main tenets of GDPR, is designed to ensure that organisations reduce the overall amount of stored personal data. This is done by only keeping personal data for the period of time directly related to the original intended purpose. The deployment and enforcement of retention policies that automatically expire data over time establishes the cornerstone of your GDPR strategy.
d) Protect Under GDPR, organisations have a general obligation to implement technical and organisational measures to show they have considered and integrated data protection into all data collection and processing activities.
e) Monitor GDPR introduces a duty on all organisations to report certain types of data breaches to the relevant supervisory authority, and in some cases to the individuals affected. You should assure that you have capabilities in place to monitor for possible breach activity – such as unexpected or unusual file access patterns – and to quickly trigger reporting procedures.