By Olivier Van Hoof, pre-sales manager, UK, Collibra
Mid-summer is traditionally a slow period in business activity whilst everyone has a chance to rest and recharge the batteries in time for the pre-Christmas rush. For those of you who are responsible for data within your organisation, this quiet period is most likely taken up with ensuring your organisation is taking the right steps to achieve compliance with GDPR in time for the May 2018 deadline. Now is the time to take stock and make sure you have a clear view on what individually identifiable data you hold and what you are doing with it and ensure you have policies in place, aligned with GDPR, to govern that data.
Those in financial services have a slight advantage over other sectors, in some respects, as they are used to adhering to a myriad of rules and regulations in order to do business. Other sectors such as retail or media could struggle as they are not as experienced in handling complex regulations and regulators. However, there’s still time to create and implement a thorough GDPR compliant data governance program. Do not be complacent and do not underestimate the efforts required to be compliant with the regulation. The intricacies involved in GDPR, such as updates to the privacy laws which were determined in an age when the internet was non-existent, is one of the reasons it’s a much-needed regulation. Here we examine some of the best ways to approach GDPR and what should already be happening.
Anyone would be forgiven if they have stuck their head in the sand when it comes to the lead up to May 25th 2018. The enforcement deadline has seemed like a long way away, but with less than a year to go, now it is critical to ensure readiness.
One of the many operational issues any organisation will have to deal with once GDPR comes into effect is the individual’s right to ask where their data is, how it’s being stored and how it’s been used. From a data governance point of view, many businesses are not ready to meet these requests for data access. As legacy IT has been updated, cloud solutions implemented and acquisitions made, most organisations find themselves with multiple, disparate data depositories which makes it very difficult to view one person’s entire data landscape within an organisation.Beyond legacy systems, there is also the very real problem of Shadow IT — many analysts estimate it at anywhere between 30-50% of IT spending – which is by definition not governed and in many instances will contain individual data relevant in the GDPR context. Organisations need to take control and this is where the need for tools to simplify the process arises. One area of focus in tooling for GDPR is data mapping which is fast growing in popularity as it provides transparency to the individual data in the organisation’s landscape and can provide context for data within GDPR.
As with any large scale program, it is vital to understand what ‘good’ looks like, and what a successful end goal is. Some of the basics include a thorough data governance programme, understanding what data will be used for, establishing best practices and regular auditing to prevent data breaches, losses or leakage.
A universal goal for every organisation is a process for reporting a breach: as of next May, organisations of all sizes will have 72 hours in which to report a breach to the local data protection regulators. Fines for non-compliance are as steep as 4% or €20 million of total revenue, whichever is greater. Above and beyond the regulator fines, it is the impact of data breaches on reputational risk that acts as a significant driver. Considering company headlines such as the Talk-Talk hack and resulting loss of customers, share price and standing, it is easy to see how losing customer trust can have significant impact on business. It is up to the data compliance officer, or the person who has responsibility for data use and movement within an organisation, to map out what ‘good’ looks like and determine a way to achieve the end goal in a way which is GDPR compliant.
Many organisations are currently viewing GDPR as a box ticking exercise and a regulatory burden rather than an opportunity to build customer trust. The age in which big business can treat consumer data as their own property without any consideration for the individual is gone. GDPR represents an opportunity to build better internal processes and reassure customers that a company is appropriately storing and handling their data. The regulation should force organisations to re-examine how much data they are collecting and drive the streamlining of that data process. Only collect and hold what you need or, in GDPR context, privacy by design.
We expect to see the collection of data change as regulations around its purpose are established and processes become more efficient. Ultimately a level of transparency will build customer faith that their data is being used and stored appropriately. This will have multiple benefits to happy customers, stock price and market reputation.
Time to implement
Regardless of where an organisation is on its journey to GDPR compliance, this calm mid-summer period is a good time to take stock and ensure everything is in hand ahead of the May 2018 deadline. While the finance sector has an advantage, it is vital for all impacted organisations to understand how ready they are and develop a thorough map of what data is stored where, and how that data is being used. Consider implementing tools to carry this administrative burden as this will speed up and simplify the process.
It is vital to understand what the end goal is, what does a good GDPR compliant program look like for each organisation? It will be different for everyone, depending on what data is stored, how and where it is stored. Each step taken towards GDPR compliance will help organisations to build and nurture customer trust. GDPR compliance shouldn’t be viewed as a tick box exercise, but as a way to develop a thorough understanding of your data landscape and security needs and how to best service your customers.