The focus on General Data Protection Regulation (GDPR) and its looming May 2018 deadline has spurred a number of conversations between CIOs and their organization’s legal teams. The questions remain basic but critical:
Are we ready? And are we compliant?
Here’s an interesting example of how those questions prompted a large EU bank’s CIO to request Veritas Advisory Services to speak with his organization’s lawyers. Since personal identifiable information (PII) and its accessibility are central to GDPR regulations and that’s where we started our conversations.
A Common Data Management Scenario
The bank collects Personal Identifiable Information (PII) about individuals: employees, customers and partners. The information is held in databases behind the business applications which run their business and in the file storage, shared drives and repositories. The lawyers are confident their current approach to GDPR compliance is solid because they reasoned:
- All their data is in databases.
- Their two petabytes of unstructured data (about 2 billion files) is “not an issue”.
To test that line of thought, Veritas Advisory Services provided the following analysis:
About 40-50% of the bank’s unstructured file data, when classified using Veritas Data Insight, contained sensitive PII. This was eye opening because if the bank received a Subject Access Request there was no guarantee that they’d be able to fulfil the request in the regulated timeframe or provide a holistic view of the PII within those unstructured files.
Taking that one step further, Veritas Advisory Services asked about the organization’s approach to data retention policies. The lawyers were keenly interested in resolving that concern as well since long-term information management has a huge impact on business risk. The CIO and lawyers asked about a solution that enables the organization to proactively manage data. Veritas Enterprise Vault was reviewed, the key functionality highlighted is the ability to achieve greater governance over unstructured data through automated archiving with appropriate retention policies determined by the lawyers.
Making the Business Case for GDPR Compliance
The lawyers were persuaded, but the CIO needed a business case to justify the investment of time, resources, funding, etc. The numbers are compelling.
- 70% of the files stored had remained untouched for over 2 years and
- 30% can be deleted as the file types do not comply with the bank’s own information governance policies
By gaining a better view of the amount of data, what kind of data, where it resides, it’s value (and risk) and applying retention policies that could eliminate a significant amount of data – Veritas Advisory Services was able to calculate that just two years of improved information governance of unstructured information could pay for GDPR compliance. How? One cost implication is the reduction in storage fees for maintaining unneeded data which increases the risk of damaging compliance fines.
There are many other cost implications that impacted the Cost/Benefit Analysis. But findings like these are typical. Many Chief Data Officers and Data Protection Officers are aware that unstructured data hides the risks of ungoverned PII. They can often pay for the remediation through the ongoing savings.
The initial conversation with the bank was instigated to address GDPR. However, this organization gained a whole new perspective on the value and risk that’s inherent in their data management processes.
Have you conducted a cost/benefit analysis of your GDPR readiness? Want to know more? Request a GDPR Assessment here.