With GDPR less than three months away (25 May 2018), personal data can no longer be taken for granted – organizations must know what data resides where, who is permitted access to it and for what valid reason.
GDPR readiness is critical and even a business necessity. Non-compliance could mean a fine of up to €20m or 4% of global revenue in the preceding year, whichever is greater – with no phased approach after the deadline. Enforcement is possible from day one, but the reputational risk could be just as critical as the threat of financial penalties.
IBM has set out it journey to GDPR readiness in this paper, suggesting the following:
Data processing rules
The GDPR obligation of lawfulness and consent means that data can only be processed if one of the prescribed conditions are met: consent, necessity, legal obligation, protection, public interest, official authority or legitimate interest.
Any organization that handles data that can identify an EU data subject must have the right permissions and clear instructions to handle it. This is a line of business conversation which should permeate throughout the organization
It is vital to grasp the key principles of GDPR which include enhanced action rights for EU data subjects regarding their personal data, including the right to erasure where an individual can ask a business to “forget” them by deleting data, except for data that must be legally retained such as financial transactions. The right to data portability allows individuals to obtain and re-use their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another, without hindrance to usability.
Storage, protection and retrieval of data may need to undergo a radical transformation, but at the same time the regulations offer an opportunity for improved efficiency and ability to innovate by utilizing data.
Opportunity over obligation
IBM believes that GDPR readiness offers competitive advantage to customers and business partners alike, and should be viewed as an opportunity – not just an obligation. Transparent control over data throughout its lifecycle; knowing what data resides where – in local drives, central storage, backups or archives – will help identify business opportunities as data becomes a corporate asset.
Transparency can also help organisations meet their GDPR obligation that in the event of a data breach, organizations only have 72 hours to determine the extent of the breach and notify those affected and the regulator.
A holistic data map can assist an organization to meet the GDPR deadline to comply with a data subject access request within acceptable deadlines of four to six weeks, for example. Additionally, personal data discovery gives an organization clarity into how it uses personal data, which enables it to document and maintain a Record of Data Processing Activities, required under Article 30 of GDPR.
Confidence in encryption
Encryption and pseudonymization techniques minimize data risk and although GDPR is not prescriptive about what security measures an organization must take, it does mention these two specific controls.
They are important because GDPR states that communication of a breach to the data subject may not be required if personal data was rendered unintelligible to any person who is not authorized to access the data.
Find, classify, protect
Meanwhile, integrated data classification capabilities help an organization find, classify and protect its most critical personal data, whether in the cloud or in the datacenter.
The new regulation applies to any organization that holds data of subjects in the EU, regardless of whether they have a physical presence in the EU; they must be compliant if they offer paid or unpaid goods or services, or collect, host, control or process their personal data. Suppliers, too, may expect their partners to be GDPR compliant to minimize their risk.
Many organizations may be struggling with GDPR compliance requirements, and the process is undoubtedly complex. Any company compliant with existing data laws will have additional obligations, and the new principles could require a transformational shift in both cultural attitudes and technological requirements. GDPR impacts people, processes and technology.