Since the EU’s General Data Protection Regulation (GDPR) took effect in May, organizations have hopefully already emerged from the strategy phase and are now well into implementation. However, the nuances of GDPR are something most of us are still trying to comprehend—and we probably won’t truly understand all of it for a while. In the hustle to reach compliance, errors will likely have been made. In the process of GDPR planning and execution, there are four areas that companies need to be wary of. If not managed carefully, they can hinder the process of achieving, and maintaining, compliance goals.
- Failing to train employees on key concepts of personally identifiable information (PII). Only one-fifth of organizations have rolled out formal GDPR policies and training—and employees need to know how to handle PII data. More than 60% of employees don’t understand privacy-by-design policies, and because cybersecurity controls have a wide ambit, the implications from a solution standpoint often vary per organization. It’s important to consider that customers will now also have control over the portability of their data. Think of that as the possibility for your customer to give the data you have collected to a competitor. Knowing how GDPR will affect your operations is critical to anyone doing business on a global basis. No longer will it be enough to simply secure and track this data, but how it’s managed or “processed” will also be extremely important.
- Complying with some provisions, not all. GDPR has 11 chapters and 99 articles with multiple provisions, and organizations have to be compliant with every one of them. Many organizations have been cherry-picking compliance enforcement based on their strengths and what suits them from a business standpoint, which only makes them more susceptible to compliance vulnerabilities. First and foremost, it’s critical to have a basic understanding of what each provision is before you make a plan. For a fast summary, see this Eckerson Group blog post that provides short explanations of each that you can consume in less than 25 minutes.
- Lack of business processes for data erasure. The Right of Erasure, Article 17, defines that a data subject has the right to have the company erase personal data and take reasonable steps to inform third parties to erase the data as well. No longer can you simply flag a user in a database as inactive or “do not contact.” This provision states that the customer has the right to have any of his or her data deleted within a reasonable timeframe. The challenge is this will not be easy for organizations that have used traditional data management strategies, which are based around archiving data—not deleting it. There are a lot of discussions around Article 17, as it is still a fairly gray area since it is not entirely known what will happen with regards to social media. Can or should a data subject have the right to delete their social commentary once it’s published or is that data considered public knowledge? It will be interesting to see how this will play out in the courts, as removing old Twitter posts, old accounts, and possibly trying to hide past poor decisions, etc., and it raises a lot of moral and legal questions.
- Weak data governance processes which pose cybersecurity risks and data management issues. An organization’s data security perimeter is wider than ever. Your furthest network “edge” today is likely represented by clouds, and mobile and IoT devices—and this means that there are more data governance and vulnerability issues than ever to consider. The most GDPR-prepared organizations have a unified solution for metadata management and data governance mechanisms that manage all their data no matter where it’s located. This includes a single view of global data assets across cloud and on-premise applications, databases and storage platforms. On the bright side, GDPR requirements are forcing companies to define advanced strategies that should go a long way toward improving an organization’s overall cybersecurity posture and thus reducing the potential for data loss, operational disruption, and physical damage—not to mention reputation and brand damage.
Thinking Beyond GDPR Drudgery and Seeing the Business Opportunities
GDPR should be viewed as a business opportunity. Everyone benefits from meshing disparate systems into a single, unified flow of information. Customer data, regardless of where it’s housed, becomes readily available to anyone requiring it—a customer, a chief information officer, or a chief marketing officer. Automation puts the organization in control of requests and enables end-to-end governance. It also provides the chief executive officer with the peace of mind that the risk is understood and managed across the entire organization.
Digital process automation brings disconnected systems together and consolidates fragmented data. With connected systems and information, businesses are in a better position to serve their customers. New technologies and capabilities that can deliver customer-centric information at the right time will give them a competitive edge. As with any new paradigm, there will be winners and losers, and those who take this opportunity to leverage these changes to benefit their customers will be the ones that will come out on top.