Get the basics right to avoid a GDPR information crisis

Another week, and another high-profile incident where information has played a central component to a story hitting the news headlines.  The recent ransomware virus was unique in how fast it spread, its international impact and how bitcoin payment was used to unlock those systems affected and allow users to regain access to, in some cases, highly personal and valuable hospital records.  It was catapulted overnight to global media attention for all the wrong technology reasons and showed how vulnerable some IT systems are.

It was not long before links were made to data privacy regulation, especially the impending General Data Protection Regulation (GDPR) and one story caught my attention as it predicted a rapid rise in the cyber insurance market due to the attack.  But insurance in my mind is like a Band-Aid over an existing problem, rather than look at some of the root causes of how we value and prioritise the information we collect and store.

dv2171025.jpgThis became clear when I attended a data mapping workshop with 20 lawyers representing global companies who are in the middle of creating their Article 30 records for GDPR – or in simple terms, the records of processing activities.  Article 30’s are a requirement of any company processing the personal data of EU residents – no matter where that organisation is located.  Whilst all of the companies represented had started their data flow, mapping, questionnaires and engaging with different departments responsible across the business – especially IT, the overwhelming feeling was how complex this task was.

This is no surprise as data grows year on year and the simple solution to date has been to just keep adding storage, rather than understand what the data is and if it is of value to the organisation.  This was highlighted in a recent Veritas GDPR survey, that showed 42% of businesses did not have a way to determine what data should be saved or deleted based on the value of the data, and 39% reporting they had an inability to accurately identify, locate and manage personal data.  These worrying statistics are compounded when you look at employee attrition, where the knowledge of legacy systems can leave pockets of orphaned and unknown data.  So, whilst legal can ask the right questions to app, system and storage owners, how can they be assured of its accuracy?

Having accurate Article 30 records are the cornerstone of any GDPR journey as they form the basic knowledge to allow follow on processes of data minimisation and responding to data subject search requests.  That is why at Veritas we have developed a GDPR framework to help organisations understand their data better and faster, to help on the journey towards compliance.

In addition click here to register for our upcoming GDPR Webinar with IDC and William Fry on April 25, 2017 at 8am PDT.

Vision Streaming