Companies are grappling with how to become compliant with the European Union’s new General Data Protection Regulation (GDPR) which outlines privacy and data protection requirements for the handling of EU citizens’ personal data. Rex Ahlstrom, chief strategy and technology officer at BackOffice Associates, a provider of information governance and data stewardship solutions, discussed what’s at stake, how to start, and why working toward GDPR compliance can present long-term benefits.
GDPR has been likened to Y2K because of the specific deadlines and the risk presented, but unlike Y2K, long after GDPR’s implementation (May 25, 2018), many companies still won’t know if they are in the clear or have a big problem.
Rex Ahlstrom: Completely agree. We did a webinar recently and drew questions from the live audience. The largest percentage of attendees indicated that they were still trying to figure it out, which is not unusual. There were companies that are not based in Europe, weren’t sure if it applied to them, didn’t quite understand the breadth of the compliance regulation, and now are trying to figure out what they are going to do.
Gartner has said that up to 50% of affected companies will not be in full compliance by the end of 2018, and Forrester said in its January 2018 “State Of GDPR Readiness” Report that only 30% of surveyed companies globally were fully GDPR-compliant.
Ahlstrom: I am surprised it is even that high to tell you the truth. It is probably led by more Europe-centric businesses. Depending on their risk analysis, some may say that it is lower cost to not over-rotate on this now. It will prove itself out in the courts I think more than it will in companies’ implementation of GDPR solutions.
What will be the most difficult aspect of GDPR?
Ahlstrom: I was at the Gartner Data & Analytics Summit in London recently and we brought in an expert on GDPR who was a “solicitor”—a “lawyer” to Americans—to talk about his views on GDPR. He made an interesting point that the immediate flashpoint that most people look at, and is quoted over and over again, is the fines. They are substantial—4% of the gross revenue of a company, and a company could be fined up to that per incident. But, he thought that there would be less really coming through on the fine side.
How so?
Ahlstrom: He thought that the commission is going to be somewhat lenient with businesses because it understands that they are trying to get their arms around their strategies and become compliant. But, what could overwhelm businesses is all of the requests that may come in. With the new regulation, any EU citizen can go and make a request at no cost, and that may generate the right to rectification. They have the right to make sure that the information is accurate, not necessarily removed. And, then they also have the right to be forgotten, making sure that it is removed from systems.
What will this entail?
Ahlstrom: Regardless of a company’s policy and strategy around GDPR, and its knowledge of what is in its systems, the required level of governance and control at most companies is not mature. If 100,000 requests came in, are the people responsible for that information going to be able to respond within the timeframes that are part of the regulation? That may be the bigger impact to businesses in the short term than the fines.
How can companies prepare?
Ahlstrom: GDPR presents an opportunity to actually look at information as an asset and to understand that the data may be more valuable than even the applications companies are running that data on because it informs about customers, products, profitability—everything. If GDPR gets executives motivated because of the threat of fines to actually start implementing an information governance strategy, then they will benefit long-term—not only in compliance with GDPR—but in actually starting to manage that information to deliver value back to the company.
Are there some companies that are in a better position to do that?
Ahlstrom: One way to think about it is to look at the maturity level of an organization as it relates to information governance. I don’t just mean master data management [MDM], but companies that have a mature approach to information governance most likely are going to be in a much better position to handle the regulation because, long before GDPR, they had already focused on Customer 360 and understanding what they know about their customers and how clean the data within their applications is, and how much of it they master, or control certain fields of, to make sure they have one version of the truth in terms of what those customers represent.
How does this go beyond MDM or Customer 360?
Ahlstrom: Just about anything could be considered personal information under the GDPR versus what is traditionally thought of, such as a name, Social Security number, or address, so companies that were already trying to get a handle on understanding data across their organization are naturally going to have a better understanding of what they need to do to become compliant.
How are companies initiating the process?
Ahlstrom: Many companies are starting by developing their GDPR strategy and policies, and working with lawyers and compliance and risk analysis people rather than the data or technology. This is because, early on, the commission will most likely look at a company that has had a compliance failure and consider whether it is implementing all the right practices, has a published policy with regard to managing personal information, and is on a path to becoming compliant. That will probably keep companies out of the courts—in the beginning.
What are some specific technologies that are important to implement?
Ahlstrom: One of the earliest things, if you are on the IT side and even on the risk side, is to get a grasp of the information you have and all the applications that you run. A catalog essentially stores the information about an application and is more concerned with the metadata of an application. There are a lot of interesting technologies that can scan systems.
In a Fortune 100 company, there could potentially be hundreds of applications, not to mention all the information that would be stored in spreadsheets and unstructured formats such as email and the rest. Categorizing and managing data from a knowledge perspective is a really good place for companies to start so catalogs and glossaries are the foundation for getting a grip on what’s going on, and very strongly in that is metadata management because the metadata within an application is telling you about the data in that system. If you can scan and understand the metadata in the applications across the enterprise then you will advance your knowledge of what is actually stored in the applications themselves.
What else?
Ahlstrom: The other types of technologies that are going to be important are the ones that improve data quality. It is one thing to delete “Joe Smith” from customer records but Joe Smith’s data may be stored 20 different ways inside 50 different applications—Joe A. Smith, Joseph Smith, Joseph A. Smith, and the variations go on. In many businesses, duplicates and variations are rampant. Managing data quality is important so that if you have to respond to a request for rectification or deletion you know that you have captured all of it.
What concerns you most about GDPR?
Ahlstrom: There are three things that come to mind. The first is that there are unsavory businesses looking at this who will be looking at ways to extract money from businesses. There is going to be a lot of money spent in the courts as this regulation proves itself out. If I were a head of risk and compliance, that would keep me up at night. The second is how discrepancies in regulations will be handled. When you look at GDPR, it is for the most part, subjugated to existing regulations that would take a higher precedence or priority. Someone might say that they want to be removed from a system but in a particular country, the taxing authority might say you have to hold that information for a longer period of time. That is going to get into gray zones, and it will have to be dealt in the courts when competing regulations are saying opposite things.
And the third?
Ahlstrom: We have actually run across companies that have decided it is too overwhelming and they are choosing to sit back and see how it plays out. Unlike Y2K, where companies knew if their systems failed or succeeded once the date turned, they won’t know with GDPR. Rather than stick your head in the sand, use this as a way to create a conversation about momentum within the business to treat information as an asset.