Chances are you’re business is among the 80% of companies that Forrester says won’t comply in time. The truth is, technology media have documented a staggering lack of readiness from all quarters.
Of the data professionals we queried, 55% haven’t started moving on the problem. 60% can’t even confidently explain all that GDPR encompasses. And these are data professionals — the people who should know.
Global carmaker Honda and European airliner Flybe were even fined over the summer for transgressions made just in trying to comply with GDPR, which goes to show how complex achieving compliance can be.
The GDPR’s “Territorial Scope” section in Article 3 plainly states the regulation applies to the processing of personal data, which the GDPR specification refers to as subject data, of any data subject in the EU. In other words, if you have EU-based customers, you’re bound by GDPR.
So it’s no surprise to see vast armies of vendors sprouting up (or whitewashing current solutions) to deliver the processes and technologies that are now required under GDPR—like storage and encryption.
But most of these solutions are limited in what they can accomplish because they’re not addressing a crucial question: how can you properly govern and secure your data if you don’t know what or where your data is?
While your typical data governance tools can tell you what kinds of data should be considered sensitive, they assume you already know where that data resides, which is not usually the case. There are other tools that can be deployed at the data security and storage level, and they’re very good at helping you lock down or manage sensitive data. But these tools suffer from the same problem.
They don’t tell you:
• Where GDPR-regulated data is located or how much you have
• Where the data came from, where it’s going, why it was collected and for what business purpose is it being used
• How to identify, report and control new GDPR-regulated data as it comes in
So how are organisations reacting to the problem? By locking down large swaths of data, sticking it in quarantine and severely limiting who has access to it. But by treating all data as regulated by GDPR, business analysts are required to submit formal requests in order to access data to understaffed groups, which can take weeks if not months to grant access. So sure, you can say the data you’re putting to work is GDPR-compliant, but how valuable can it be if most of it is locked up?
Even then, organisations are falling short—particularly around the GDPR’s “right to be forgotten” rule, which requires organisations to jettison subject data on a number of grounds, including when it’s no longer necessary in relation to “the purposes for which they were collected or otherwise processed.” So, if an organisation decides to simply lock down the data it has on European residents, it is almost guaranteed the company will have taken itself out of compliance and it will be penalised (up to €20M or 4 percent of total worldwide annual revenue of the preceding year).
To support GDPR in a way that doesn’t disrupt the organisation’s use of data or its compliance, businesses must identify all personal data elements and their location across all data stores.
How can you manage the lifecycle of customer data if you don’t know what data you store? Additionally, how can you “forget” someone if you don’t know where their data is located in the first place?
Many companies have been keeping track of their most critical systems but lack a comprehensive catalog of all their data, including development, test, production, data warehouse, and backup systems.
In fact, on average they only know about 10 to 20% of their total data estate. This lack of knowledge around data lineage can also get in the way of the organisation’s ability to mask subject data (another GDPR requirement) and properly track all processing activities (yet another requirement). This includes categories like recipients of personal data, transfers of personal data to a third country or an international organisation, and those who process data on behalf of the organisation.
In desperation, some enterprises are turning to attestation to fill the knowledge gap – they ask employees to attest to the presence or absence of subject data in the systems that they are responsible for.
Unfortunately, given the low levels of knowledge about the data estate, attestation without verification creates vast opportunities for non-compliance, putting individual employees at risk while failing to protect the enterprises from fines.
The only way an organisation can ensure compliance with GDPR is to include in their vendor mix companies that can help them identify, tag, and catalog subject data and its lineage, as well as track the business purpose for which the data was collected and used. Visibility is a must along with a strong data governance program.
Given the magnitude of the variety and volume of data that is sure to exist, a level of automation is also required. Otherwise, the entire project will become bogged down by manual tagging and review processes that simply won’t be able to keep up. With GDPR right around the corner, who has the time?