Companies across the globe are preparing to comply with strict new rules regarding protection of personal data belonging to EU citizens. General Data Protection Regulation (GDPR) is expected to set a new standard for consumer rights with respect to their data. GDPR is focused on privacy-centric requirements, such as mandatory record keeping, the right to be forgotten, and data portability.
Aimed to provide consumers rights over their personal data, GDPR also simplifies the regulatory environment by unifying the regulation for the entire EU. It is consistent across all 28 EU member states, so companies have just one standard to meet within the EU. Unfortunately, though the law is consistent, it’s also quite rigorous and will no doubt require companies to make large investments to become compliant.
It’s complex, it’s rigorous, and the deadline is approaching. Fortunately, we’ve done our research and are already working closely with many clients and partners on the best solution for them. Here’s what we can tell you: come May 25, 2018, companies in the EU (and those companies that do business with or store any EU citizen’s data) will be required to follow strict data management guidelines or be subject to substantial penalties and fines.
These guidelines fall into four specific areas:
ACCOUNTABILITY & GOVERNANCE
Companies must maintain relevant documentation on data processing activities and implement measures that demonstrate compliance. We’ve consulted with companies and have helped many leverage analysis tools that provide a wide array of capabilities including: classification, full text indexing, and data movement based on policy. Be sure to conduct a content inventory to identify islands of data relevant to GDPR compliance.
Personal data may not be retained for longer than is necessary for the purpose for which it’s processed. We’ve helped a number of organizations implement policy enablement and monitoring tools to manage data. Such tools can copy, move, and delete data based on rules and conditions such as content age, owner, or keyword. Leveraging such tools will enable organizations to proactively manage personal data within the necessary parameters
A notifiable breach must be reported to the relevant supervisory authority within 72 hours of the organization becoming aware of it. We strongly suggest implementing technology to monitor and alert on abnormal data access patterns as well as a Standard Operating Procedure to provide guidance to staff and supervisors who manage IT resources to enable a quick and efficient notification process.
An individual may request the deletion or removal of personal data when there is no compelling reason for its continued existence. We suggest implementing the use of an eDiscovery platform which is purpose-built to work natively with electronically stored information (ESI) and can help a company respond to a deletion request by quickly identifying and producing specific information related to an individual.
We know there’s no silver bullet to easily meet these new regulations, which are multi-faceted and affect multiple areas of the business. You’ll need to examine existing tools, research new ones, as well as review current policies related to all the types of data your organization manages, in order to begin developing your approach to become GDPR compliant.
It will likely be costly. In fact, according to a PwC survey, 68% of U.S.-based companies expect to spend $1 million to $10 million to meet GDPR requirements, with another 9% expected to spend more than $10 million! Conversely, penalties for non-compliance can be equally costly, ranging anywhere from up to €20 million or 4% of a firm’s global turnover (whichever is greater).
We recommend working closely with an experienced and fully-engaged Data Management partner that is well-versed on the potential impact of the GDPR. Work with the Trace3 Data Management team on your overall data strategy and evaluate how modern capabilities such as mastering data at big data scale, graph technologies, machine learning, and predictive analytics will help you maintain control and compliance.
 Babel, Chris (July 11, 2017). “The High Costs of GDPR Compliance”. Information Week. UBM Technology Group. Retrieved 4 October 2017.
Andrew (Andy) Becker is a Solutions Architect in Trace3’s Data Management Group, whose 17 years of experience in the field began in the Israeli Defense Forces and includes subsequent experience consulting with client environments of all sizes. He specializes in Information Governance with a focus on email archiving, data classification, and eDiscovery. Andrew has architected, designed, and implemented solutions for some of the largest household name companies in the country, particularly in defense, financial, healthcare, gaming, airlines, oil and gas, utilities and other heavily regulated sectors. Andrew has been recognized as an industry Trusted Advisor and awarded the Trace3 President’s Award for leadership and teamwork. Outside of work, Andrew is an avid mountain biker, self-proclaimed foodie, and volunteers on the board of a national non-profit creating programming for young professionals to engage face-to-face at meaningful events and learn about philanthropy.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.