When it comes to data, most IT organisations simply provide application and infrastructure services with little or no concern for the volume of data they create. This data is owned by the ‘business’ who likewise has equally little concern for the way in which data is served and managed. The day of reckoning is at hand with Personal Data at the forefront of the General Data Protection Regulation (GDPR). How can these two forces where one creates the content and one stores the content be reconciled for the greater good?
Technology is an enabler of efficient commerce. And efficiency drives Competitive Advantage. But technology in business continues to evolve. The division of labour between the business side of an organisation and the IT department charged with keeping the company running is profound, especially when you consider how frequently the IT function is outsourced. To put this in terms of an enterprise and its data, the business teams create it and the IT teams store it. Storage is perceived as inexpensive so most enterprises have yet to delete anything. And so businesses opt to keep everything.
GDPR absolutely changes this. The rights of individuals to ask organisations to find their personally identifiable information and to demonstrate an ability to handle and control it will now be regulated by statute. The penalties for falling short can be massive.
Consider the scenario where a customer wishing to exercise control of their unstructured data (files and documents as distinct from databases) has a repository with ten million files belonging to fifteen thousand users. An optimal approach requires a technology solution to sift through the files and find the personal data and identify the redundant, obsolete and trivial (ROT) data that has risk associated with it. On the business side, data owners may have written retention policies to deal with ROT, risky and personal data. The question organisations face with GDPR is how to align these two groups and establish policies and actions that, in essence, involve the balance of key actions around data – keep or delete it.
GDPR creates an unprecedented demand on the IT department. From lawyers who want to be able to find individuals’ personal data and show control over it to the more traditional “go faster” or “save money” demands from the CIO.
The business needs to know where the risks to non-compliance is stored and where personal data ends up. But most importantly the business depends on IT and its technology tools to provide an automated yet defensible way to manage this personal data. Current manual processes for the ten million, one hundred million, or one billion files is a very risky proposition especially when such heavy fines are planned for non-compliance. Not having a strategy is not an option.
The challenge then, for vendors of technology, is to help customers broker and facilitate the communication between their IT organisations and the business functions. Ensuring successful compliance for an enterprise is dependent on Information Governance experts to help assess each organisation’s unique situation and drive the necessary change. Veritas Advisory Services help bridge the gap between IT and Business stakeholders, and drive transformative steps to address the challenges that GDPR brings in data processing, management and governance.
Learn more about GDPR and how Veritas can help you prepare for the upcoming regulation here.