Some businesses are keeping their heads in the sand, and others are fearful of what’s ahead. But the forthcoming GDPR regulations could, in reality, be a force for good.
On one hand, the new obligations threaten punitive fines for non-compliance, poor accountability and data breaches. The new rules apply to all organisations that deal with the personally identifiable information (PII) of EU residents. This covers both employees and consumers of the services they provide. These fines are also intended to be taken seriously, rising to 4% of annual worldwide turnover or €20m – whichever is higher. Consequently, weighing up the cost of prosecution versus the cost of compliance is no longer an option.
But on the other hand, the GDPR legislation gives organisations the impetus to raise their game. It’s the perfect time to strengthen their data management, and the privacy and protection they provide to this most critical of business assets. Moreover, better information governance, compliance and policy can help enterprises develop a more efficient digital transformation strategy. This will ensure a streamlined and focused journey with less of the information risk that pervades today’s clogged IT systems.
The average business has vast amounts of legacy digital data, growing on average by 39% a year. It is contributing to something that Veritas termed a “Databerg”. This comprises over 30% redundant, trivial or obsolete (ROT) data and over 50% dark data, whose contents are is simply unknown to the organisation.
This inefficient use of data stores has so many business disadvantages. Unnecessary storage and management costs are just the start. If you do not know what data you have, where it resides or who has access to it, how can you protect it or be compliant?
The GDPR mandates better responsibility and transparency of the personal data organisations hold. Not knowing what is in your data estate could not only lead to a potential fine but also exposes you to reputational damage from data leaks or breaches . However, the GDPR is driving businesses to be better custodians of the personal data they retain.
There are also operational implications. Having poor visibility and insight of your key information assets slows down the day-to-day ability to respond to search requests. This especially applies to requests from data subjects invoking their enhanced rights to correction, porting or even erasure of their own PII under the GDPR’s “Right to be Forgotten”.
The solution to these problems is often seen as a long and tortuous route, especially when you consider the billions of objects and files an average organisation has amassed over the years. But it does not have to be this way. The GDPR is leading business to focus on ‘data’. This focus is the key to solving the visibility and insight problems that are the starting point to the journey of compliance.
Being able to create real-time data maps of the operating environment can help pinpoint where sensitive data reside: especially copies and dumps of structured databases. Understanding who is accessing key department information can highlight the risk of insider threat and flag a potential data loss. Or being able to search from multiple sources to locate data subject information, and respond to subject access requests, turns your information into an asset, not a liability.
Ultimately, the GDPR encourages organisations to improve their business culture by incorporating better transparency, accountability and responsibility in how personal information is collected, used and eventually expired. This requires a holistic view to information management involving people, process and technology.
There will always be internal and external threats to mitigate. But if you use the GDPR as a springboard to improve your information management and data handling culture, your organisation will be on track to become agile, compliant and in control.