May 25 2018 will see the General Data Protection Regulation (GDPR) legislation come into effect.
Organisations will by now be more than aware of the penalties – 4% of annual turnover or €20 million (£17.3m), whichever is greater, and if not take this as your final warning – but how are companies reacting to it?
Keyrus is a data intelligence and master data management (MDM) provider. The company has been putting its message out there at various events – including at the Information Builders Summit in London this week, with another at IBM at the end of the month – on how organisations need to protect themselves and what they can do about it.
Santiago Castro is head of business analytics at Keyrus’ UK practice. He explains that while each company is different in its requirements, there are other issues at play.
“You would like to have a one size fits all type solution, but one of the main points of GDPR is to understand what the purpose is of holding data and processing data,” he says. “It also depends on what your contractual situation is with your customers; some customers agree or allow organisations to hold data for these purposes while others don’t have that agreement.”
Naturally, with the anniversary looming some organisations have put together a few best practice ideas of their own. Skyhigh Networks, for example, issued a new eBook, titled ‘The GDPR: An Action Guide for IT’ earlier this week. The cloud access security broker (CASB) offers companies the chance to assess their GDPR ‘risk’ rating, as well as advanced encryption for structured and unstructured data.
Keyrus puts together a seven-step methodology for customers, to understand first of all what is needed, assess the gaps needed to be filled for compliance, then look at the risks, plan what needs to happen first, and move on from there. It’s ‘awareness to assessment to prioritising to planning to implementation’, as Castro puts it.
Sheila Fitzpatrick, chief privacy officer at NetApp, puts it this way. “Companies of all sizes need to take an active look at what data they hold, what they use it for, and where it’s stored,” she said. “They can then use this insight to conduct a comprehensive review of data privacy policies, consents, processes and so on to ensure they are meeting the minimum legal requirements.” Castro adds that in some cases, consent from customers will suffice.
The key aspect however is to treat GDPR not as a potential disaster looming towards the horizon, but as an opportunity. “I often try to see it more as an opportunity than as a pain or cost,” says Castro, “because if you actually understand data assets, they can get more valuable, so this is an investment to do something with the data you hold.”
This is backed up by Rogelio Aguilar, senior consultant at Sungard Availability Services. “Businesses should approach the next year as a great opportunity to drive increased value,” he said. “A correct GDPR implementation will help businesses manage data privacy risk, implement good record management practices, streamline business processes, increase resilience as well as benefit from cost savings and ultimately a more competitive market position.
“To take advantage of these opportunities and mitigate risk, senior management must champion GDPR as a strategic initiative.”
Read more: Why you need to understand GDPR now – and what you need to do from here