May 25, 2018 came and went, leaving many companies unprepared for the level of compliance that the General Data Protection Regulation (GDPR) requires. Even with four years notice, IT technologists responsible for business resilience strategies are still struggling to add new sophistications to the list of data protection goals. Syncsort’s 2018 State of Resilience Report shows that security and data privacy concerns are top of mind for most IT departments, especially as they adopt cloud platforms to gather, store and analyse data, says David Hodgson, chief product officer, Syncsort .
The long arm of the law
According to the GDPR authors, “the processing of personal data should be designed to serve mankind.” GDPR builds on and replaces the earlier data protection directive 95/46/EC and was primarily designed to unify and standardise data privacy laws across Europe. But, it raises the data privacy bar for organisations both inside the region and those outside wishing to do business with EU countries.
Bottom line: it would behoove any company, anywhere, to reconsider its data management practices in the light of GDPR. Do you know what data you have, about whom, how that is used by you or shared with others? Is it properly secured against theft? The same survey, with nearly 6,000 global respondents, found that most companies are still grappling these issues.
Putting the individual back in charge
GDPR ensures an individual’s right to know a company is keeping personal data on them, what that data is, the right to inspect and correct it and, most significantly, the right to have it removed, or the right to be forgotten.
The new approach starts with the right of consent. Many individuals have experienced this personally with companies sending emails to confirm approval to keep personal data. Certainly, as much as data is the fuel for many new business models, data is now also the new banana-skin that may cause a few slip-ups.
The first step is to clearly track what data you have, about whom and to confirm consent. A key part of this is unifying your view of an individual across different systems, databases and data sources. Is David Hodgson the same as David M Hodgson or are these two different people? To achieve this visibility, ensure you have the proper tools that can deliver and maintain data integrity.
Data quality tools that can both identify personal data and help keep it accurate, clean and de-duped are all essential to achieve compliance. Equally important is the ability to maintain an audit trail of who has accessed personal data. However, these requirements are only made harder in the realms of big data and streaming data.
What is personal data and how can it be used safely?
The spread of data gathering practices that routinely individualise our online experiences have underpinned the Digital Revolution, but it has also driven the concerns that have led to GDPR.
Article 4(1) of the GDPR defines Personally Identifiable Information (PII) as data that identifies, describes, or is unique to an individual. This includes the obvious – name, age, and social security numbers – but also items like IP addresses and device IDs and hashed or encrypted data fields if their purpose is to identify an individual.
GDPR requires companies to protect the privacy of individuals and advises that most processing be done with the removal of direct identifiers so there can be no linkage to a specific individual. This concept is known as data pseudonymisation and it can reduce the impacts of security breaches that result in data being stolen.
Building new systems that are compliant by design is always easier, and more effective than retrofitting capabilities to older systems. Anonymisation, masking and obfuscation tools should be key components in either case, but the cost-driven reality is that most companies will be in search of tools to integrate easily with existing data access points.
Most companies have multiple databases and increasingly share data between them for real-time use cases. These use cases are often essential drivers of business growth for companies, but they are also the source of vulnerabilities. Tools that track what data is being shared must cope with the scale and fast-paced change that these new architectures allow.
The future always arrives faster than you think
The speed of time generally leaves us unprepared, and this always seems to be true in the world of IT. Failure to comply with GDPR can result in a €20 million fine or 4% of a non-compliant organisation’s global turnover – not to mention the impact on company reputation. Now that the May deadline has passed – unless companies achieve full compliance – it is just a matter of time before we see the first enforcement fines.
The author of this blog is David Hodgson, chief product officer, Syncsort