We’re now less than five months away from the required compliance date of the EU General Data Protection Regulation (GDPR). Organizations that have EU residents as customers, suppliers or partners are required to be in compliance by May 2018. For legislation that has received so much publicity, it’s surprising how unprepared many organizations are for the coming changes. The first step in the process is to gain a clear view of all the personal data the organization holds and where it is. This blog will look at the obligations for working with data under GDPR and how Data Discovery is essential to build a foundation for GDPR-compliant data management.
The EU provided a two-year transition period for the implementation of GDPR but, in truth, few companies have used this time effectively. The Compliance, Governance and Oversight Council (CGOC) has found that only 6% of global companies believe they are prepared for GDPR. In November last year, research showed that 92% of European businesses said they were unprepared for GDPR. The fact that almost 30% of these companies admitted they were unfamiliar with the regulation is even more surprising – especially given that fines for data breaches can run to €20 million or 4% of annual turnover.
Companies that have yet to prepare for GDPR must start immediately. Organizations may not be fully compliant by May 2018 but they need to be able to demonstrate that they are making best efforts in that direction. Implementing a sound Data Discovery strategy is an extremely good starting point as responsibilities for managing personal data have grown dramatically.
Managing personal data under GDPR
The GDPR is designed to bring privacy in the digital age by addressing all aspects of how organizations capture and process personal data. It encompasses all data that would allow for the direct or indirect identification of an individual. Direct personal data includes anything that allows you to identify someone from that single piece of data such as an email address or driver’s license, while indirect data covers different pieces of data that, in any combination, can identify the person.
Under GDPR, organizations must:
- Know exactly what data they hold and where it resides
- Know exactly how the data is being processed and how it is being shared
- Be able to identify specific data for flagging and removal if necessary
- Be able to detect and send an alert on any data breach quickly
- Implement pre-defined policies for automated data access privileges
- Introduce data protection by design and by default into all their systems
- Ensure that all consents for data usage are correctly obtained and managed
- Ensure that personal data is held for no longer than it is needed
- Conduct regular data risk assessments
The role of data discovery
Ask yourself this simple question: Do I know where all the personal data in my company resides? The answer for the vast majority of us will be a resounding ‘no’. Yet, that’s exactly what GDPR demands of us. Even medium-sized companies can easily be looking at terabytes or petabytes of information amassed over many years. They have data hiding in legacy systems, file shares and email systems. In many cases, the people who originally created the data have now left the organization. Given this situation, it may not be so surprising that over 60% of security professionals say that they don’t know where their sensitive data is. This is no longer acceptable for GDPR.
Data discovery is a combination of software tools and processes that let you identify and begin to control the management of the personal data that you hold. It covers three main areas:
You can identify where personal data is stored on your premises or in the cloud, on partner networks and outside repositories or on the personal devices of your staff. Data discovery tools – such as OpenText File Intelligence – can identify any data held in any format such as documents, presentations and emails. Data discovery focuses on the repositories and ‘silos’ of data to provide an accurate picture of your personal data.
The best data discovery tools automatically classify and manage all personal data spread throughout your organization. They provide advanced capabilities such as metadata indexing and full text indexing to enable the fast and accurate identification and tagging of data. These tools have intelligence built-in to understand the context of data to ensure pinpoint accuracy and can be tuned for specific GDPR definitions.
GDPR requires that personal data is continually managed to ensure that you remain compliant at all times and that you can quickly respond to requests from individuals such as the right to have all their data removed. Data discovery should give you the ability to monitor, track and trace the personal data within your organization to ensure that you have visibility of all activities taking place on that data. This will help to quickly identify the source of data breaches and enable you to comply with notification requirements should a breach occur.
Whether you think that your organization is in the position to comply fully or partially with GDPR, it’s essential that you are able to demonstrate ‘good faith’ endeavours in that direction. By conducting data discovery now, you’ll show that you’re taking GDPR seriously and have taken the first major step to compliance.
To find out more about the role of Data Discovery in GDPR compliance, read our informative Data Discovery eBook and learn how to take the first step to GDPR compliance.