On any given day, organizations can collect hundreds of different pieces of data on every person they interact with. Managing and protecting this data, often referred to as personal data, is becoming mission-critical for organizations—particularly since enforcement of the European Union’s General Data Protection Regulation (GDPR) begins on May 25, 2018. The GDPR increases the need to care for and protect personal data and is poised to be the most costly, data-focused regulation ever implemented. Without a firm grasp of data lineage, rigorous data governance, and a “privacy by design” mindset, organizations will not achieve compliance by the deadline.
While the GDPR is an EU regulation, it has a significant impact on U.S.-based organizations and across the world. Under the GDPR, any organization that processes the personal data of EU member state residents must comply with the regulations. As a result, global organizations must revisit how they collect and manage data and review the data they already hold before the regulation goes into effect. According to a series of interviews PwC recently conducted with C-suite executives from large American multinational corporations, 54% of interviewees said GDPR readiness is the highest priority on their data privacy and security agenda, while 77% plan to spend $1 million or more on GDPR compliance.
Due to the geographic origin of the regulation, it might seem tempting for U.S. firms to ignore the GDPR given the wide range of compliance demands placed on them. However, failing to comply can result in hefty fines of €20 million or as much as 4% of the company’s global revenue. Other consequences such as a damaged reputation and potential lawsuits are also likely. With little time remaining, organizations should be well on the way to being compliant to avoid penalties—and the first step lies in data governance.
Achieving Compliance Through Data Governance
Given the sheer quantity and variety of data that organizations hold and may collect, strong data governance is a key enabler for organizations as they tackle GDPR compliance. Data transparency and traceability are critical to understanding what information exists within the data estate in order to accurately protect its privacy and to manage customer consent on an ongoing basis.
Under the GDPR, organizations need to maintain substantial information about what private data is managed and how. This includes information on who the data relates to, how it’s used, who it might be shared with, how it is transferred across borders, what safeguards it has, and its period of retention. Maintaining detailed knowledge about where data comes from, where it goes, and how it might have changed along the way is not a simple task, especially for large organizations that don’t have clear insight into complex datasets that exist across the organization.
To implement data governance, organizations are increasingly turning to software to analyze access to information and log data usage to ensure compliance, since it is not feasible to manually perform these activities. Software can help organizations map their current content and data estates and identify business processes and data flows that include personal data, a first step in achieving compliance with the GDPR. Technologies such as machine learning also have become more sophisticated, allowing for intelligent dynamic management of content archival, retrieval, records management, and erasure to help organizations ensure compliance. Now organizations can create policies to gain and maintain consent, manage the lifecycles of personal data, and run automated reports on data lineage, consistently ensuring the organization is audit-ready in the event of a review by supervisory authorities while reducing the opportunity for human error and other risks.
Prepare Now
The GDPR will likely cause a data governance domino effect, where new data privacy and security regulations will appear in more countries until it is commonplace for all organizations. This means privacy requirements are likely to become increasingly challenging and expensive for organizations. With this in mind, whether or not GDPR compliance specifically is on the agenda, you should be thinking now about how you govern data, how well you understand the data collected, and where there are opportunities for automation and increased control.
Ian Rowlands is director of product marketing at ASG Technologies.