At present, many organizations around the world have the EU General Data Protection Regulation (GDPR) in view. They know that wherever they are based it affects them if they provide products or services to EU citizens or organizations. And they know that failing to meet the May 2018 deadline can cause serious harm. Not only hefty fines and litigation costs, but also widespread business damage as a result of an infected reputation.
Obviously, non-compliance with GDPR could be a real threat to the future of many organizations. But on the other hand, personal data has tremendous value. Properly managed, it can create a significant competitive advantage. Let’s take a look at the steps you can take to achieve GDPR compliance – and while you’re at it, position yourself as best you can to gain an edge over competitors.
An action plan for your trip to GDPR compliance
The GDPR gives every EU citizen the right to know and decide how their personal data is used, stored, protected, transmitted and deleted. Of course, implementing GDPR will affect your entire organization. You will need to return to the drawing board and reconsider how personal data is handled from the source to the point of consumption. You also need to consider how yours framework for data management and data management supports GDPR requirements.
Take the right approach to GDPR compliance
While this may sound overwhelming, there are ways to make compliance more manageable. Here are five steps to help you on your journey to GDPR compliance.
- Access. The first step towards GDPR compliance is to access all your data sources. No matter what technology – traditional data warehouses and Hadoop clusters, structured and unstructured data, data at rest, and moving data – you need to research and revise what personal data is stored and used in your data landscape. Seamless access to all data sources is a prerequisite for building a personal data inventory so you can evaluate your exposure to privacy risk and enforce corporate privacy rules. To tackle GDPR compliance, you cannot rely on common knowledge or perception of where you think personal data may be. The regulation requires organizations to prove that they know where personal data is – and where they are not.
- Identify. Once you have accessed all data sources, the next step is to inspect them to identify what personal data can be found in each. Often personal information is buried in semi-structured fields. You must be able to parse these fields to extract, categorize, and catalog personal data elements, such as Names, email addresses and social security numbers. Given the amount of data available, this cataloging process may not be manual. And you not only need to analyze and classify personal data – you also have to accommodate different levels of data quality. Things like pattern recognition, data quality rules and standardization are important elements of this process. Having the right tools for the job will make a big difference in your ability to meet the May 2018 deadline for GDPR fulfillment.
- Government. Gaining a glimpse into personal data starts with being able to define what personal data means and then share that understanding across your organization. In terms of GDPR compliance privacy rules must be documented and shared across all business areas. This is the way to ensure that personal data can only be accessed with the right rights, based on the nature of the personal data, the rights associated with user groups and the usage context. To achieve this, roles and definitions must be defined in a governance model. Then you can link business terms to physical data sources and establish data line from creation point to point of consumption. This gives you the required level of control.
- Protect. Once the personal information and management model is established, it is time to set the right level of protection for the data. To comply with GDPR, you can use three techniques to protect data: encryption, pseudonymization and anonymization. You need to apply the appropriate technique based on the user’s rights and context of use – without compromising your growing needs for analysis, forecasting, queries and reporting. In fact, the easiest way to protect data protection is to press the delete button and keep only the data you need to run critical business processes and value-added analysis.
- Revision. The fifth step of your journey to GDPR compliance involves auditing. At this point, you should be able to produce reports to clearly show regulators that:
– You know what personal data you have and where it is located across your data landscape.
– You properly manage the process to get the consent of people involved.
– You can prove how personal data is used, who uses it and for what purpose.
– You have the right processes in place to manage things like the right to be forgotten,
messages about data breaches and more.
From GDPR compliance to risk management as a whole
Being able to create detailed personal data use reports is not simply a requirement for GDPR compliance; it helps you manage your company’s risk exposure when it comes to data protection. The five steps outlined here can guide you as you put in place the technologies, processes, and people needed to achieve GDPR compliance and manage risk as a whole. In addition, it can strengthen your business, create deeper bonds with customers and spur innovation that can have positive, far-reaching consequences for future growth.