If companies understand just one message between now and when the EU’s General Data Protection Regulation comes into force next year, that message is simply this: Clean up your data.
A significant aspect of GDPR compliance requires greater oversight of where and how companies store and transfer personal data, as well as how they monitor and audit it. Companies that do not have a firm grasp on where to locate their employee and customer data simply will not be able to comply with GDPR.
“GDPR poses many challenges, but it also has the potential to result in opportunities around the use of data in an organization,” says Jitesh Ghai, general manager of data quality and governance at software company Informatica. “It’s an opportunity for organizations to take a holistic and automated approach to governance and compliance to help maximize their competitive advantage.”
Actions that help with GDPR compliance efforts also result in good data management, Ghai adds. These include:
Defining organizational policies and key stakeholders;
Implementing policies and ensuring they are being followed;
Ensuring sensitive data is protected and access is controlled for authorized personnel and use cases; and
Managing data subjects and in-scope data for EU residents and tracking whether they’ve given consent to use their data, market to them, and more.
GDPR also includes a “right to be forgotten” clause, which requires companies to scrub personal records from all company systems upon an individual’s request. The company must then be able to prove that the information has been deleted permanently.
Under GDPR, individuals may request that their personal data be erased “without undue delay” when it’s no longer needed for the purposes for which it was collected or processed, or if individuals withdraw consent or objects to the processing, and there are no legitimate or lawful grounds for retaining the data. “If they’ve taken consent away, then companies need to purge the data they have on them,” Ghai says.
The GDPR also establishes a right to data portability, allowing individuals to request, where technically feasible, that data controllers (those who collect and own the data) transfer personal data to another service provider. Putting processes in place for meeting these requirements is also important: How will those requests be received? Who will be tasked with responding to those requests? How will personal data be erased following such a request?
“GDPR poses many challenges, but it also has the potential to result in opportunities around the use of data in an organization.”
Jitesh Ghai, General Manager, Data Quality and Governance, Informatica
The trouble in satisfying GDPR mandates is that most data a company collects on its employees and customers does not generally reside in one system, but rather on various isolated systems and databases across multiple departments and geographic regions. Consequently, most personal data a company stores often is redundant, obsolete, or serves no business purpose. Worst of all, the company may be storing personal data that it doesn’t even know exists.
That being said, a first step toward GDPR compliance is to locate and gather the data itself—both structured and unstructured data. Many companies are still too focused on analyzing their structured data stores, such as accounting and HR-type systems, “but, unfortunately, I think a lot of companies are forgetting about their unstructured data stores,” says Linda Sharp, associate general counsel at ZL Technologies.
Unstructured data is not indexed, meaning its content is inherently unknown—such as data generated by e-mails, file shares, SharePoint sites, social media, and more. Generally, unstructured data stores are not aligned with the company’s record retention policies, if one is in place, creating additional legal risk.
“Some of the biggest black holes are going to be the file shares and SharePoint sites,” Sharp says. That’s the data that companies need to worry about the most, she says.
The vast troves of data a company collects necessitates the adoption of a solution with the ability to migrate or index a company’s unstructured data into a structured database, such that all personal data can be indexed and be easily searchable to meet the requirements of the GDPR. There are many options on the market.
ZL Technologies, for example, offers solutions that enable companies to tackle GDPR compliance by locating personally identifiable information across file share systems, SharePoint sites, e-mail, and more. Metadata (data about data) and content analysis then enable companies to identify and tag files for deletion, access privileges management, retention policy coordination, and production for subject-access requests.
Master Data Management. Once a company has located and gathered its structured and unstructured data into a searchable format, it can more easily get a better sense of what personal data it holds, and for what purposes. To this end, another common buzzword around GDPR compliance is the concept of Master Data Management (MDM).
Gartner defines MDM as a “technology-enabled discipline in which business and IT work together to ensure the uniformity, accuracy, stewardship, semantic consistency, and accountability of the enterprise’s official shared master data assets.”
“The ability for any organization to have a master record of customer is paramount to being able to comply with GDPR,” says Michael Hiskey, chief marketing officer at Semarchy, an MDM solutions provider. “Companies that are doing good master data management probably shouldn’t be that concerned about GDPR.”
Data security is another important element of data management for the sake of satisfying GDPR compliance. “Good data management requires you to think about how you manage personal information, but also how you securely manage the infrastructure that supports that data,” says Paul Turner, chief marketing officer at software company Scality.
Recent analysis conducted by Gartner states that the GDPR is creating renewed interest in the information-security market, which is expected to drive 65 percent of data-loss prevention buying-decisions through 2018.
Data governance. It is important to keep in mind that GDPR compliance is an iterative process, not a once-and-done activity. Any technology a company chooses to adopt should be complemented by a robust and sound data governance strategy.
Determining who has ownership of the data and who is responsible for maintaining it, for example, is an important element of GDPR compliance. “It is definitely worthwhile to assign someone as your data manager to look at how data will be managed, along with the privacy rules,” Turner says.
Also, consider creating an internal taskforce, made up of stakeholders from across the business—management, IT, security, legal, compliance, marketing, HR, and finance—and across geographies to map all employee and customer data. GDPR readiness should be a large-scale, cross-functional, compliance project that requires the time and investment of all key functional areas.