4 Keys to Ensure Your Organization is GDPR-Ready

In just over a year, the EU General Data Protection Regulation (GDPR) will go into effect on May 25, 2018, establishing privacy rules across all EU countries. The intent behind the GDPR is to give EU citizens more control over their personally identifiable information (PII) and how their information is used by organizations. Companies found in violation of the policy face hefty penalties and can be fined up to 20 million euros, or 4 percent of their worldwide revenue.

three people inside a data center

The regulation’s impact will also ripple across the pond, as any U.S. or global organization that possesses data from an EU resident must adhere to GDPR’s rules. For example, if Nordstrom wants to continue selling sweaters to Paul in Germany, the retail chain will need to make sure it is GDPR-compliant before May 2018.

As organizations come up against the GDPR’s deadline and other regulations, there are four steps they can take to mitigate and remove complexities resulting from these types of security protocols.

  1. Align business and IT teams. First things first, it’s critical that business and IT stakeholders come together and devise a big-picture plan that diagrams where all data will reside, while also depicting the old data life cycle. Once a map is created that’s as detailed as possible, the next step will be to identify processes and process owners/administrators to understand and categorize different data. Uniting business and IT is key. Too often the responsibility of overseeing data management falls squarely onto the shoulders of the IT department, while the business side amasses a large amount of data that must be accounted for also. IT may know where a specific data stream resides now or its entry point, but only the business team will have insight into how this data will change over time.
  2. Invest in tracking tools. Once the data infrastructure has been broken down to the most granular level, you’re ready to move onto deploying intelligence tools. Attempting to do so without a clear understanding of how data flows throughout an organization – whether it’s a data lake or consolidation play – simply won’t suffice. Tools and intelligence should be implemented to help track the lineage of the data. As data is acquired through different sources, it’s imperative to have the correct software in place to help you keep track of every piece of information that enters and moves throughout your organization. The software will be able to record the various stages of transformation, usage and its final resting place. If you don’t currently have a tracking tool installed, there are a number of data management software options available.
  3. Consolidate, consolidate, consolidate. Organizations should consolidate as much as possible by centralizing and eliminating silos and removing multiple backup copies and multiple retention storage units. One of the major benefits of consolidation includes the potential to discover and apply many diverse and previously unknown data sources for applications such as AI and analytics. In terms of copies, one is the magic number companies should strive for – one copy makes tracking data and its movement through the organization much easier. By implementing a solid consolidation effort and removing data redundancies, you will save both operational costs and capital expense associated with maintaining multiple storage environments. On top of that, you remove levels of complexity, making it easier to adhere to data privacy regulations.
  4. Don’t turn your back on backups. Making sure to back up data also plays a critical role in your overall protection policy. Regardless of regulations, backups help mitigate the damage from ransomware attacks, storage errors and other potential crises. Like any other data, the appointed data steward should be aware of the location, encryption should be applied and applications tracking lineage should have insight into your backup and recovery.

Finally, one of the most interesting takeaways from the GDPR is that it forces companies to adopt a privacy-by-design approach. By requiring that the data protection layer be designed into all technology platforms and software as they’re developed, as opposed to being an add-on afterwards, the EU is ensuring that organizations have thought about the process from the onset.

Although this may seem like one more hoop to jump through, privacy by design has the benefit of allowing organizations to effectively scale as more data sources are added and the environment becomes more complex. It also provides much-needed insight into an organization’s security practices, allowing it to identify limitations and where it can go next architecturally.

The issue of consumer privacy in the digital age is not going away anytime soon. Organizations must take more proactive measures to prevent data breaches and secure their networks. Ultimately, both consumers and businesses have much to gain from regulations such as the GDPR. Consumers will enjoy more autonomy and security infrastructures will be strengthened overall.