VOX

Remember Y2K?  If you’ve been in the IT industry for 20 years or so, you certainly will: all the hype that was generated in the 1990s about the impending “time bomb” of the Year 2000.  What would happen to IT systems around the world when the year clicked over from 1999 to 2000?  Had they been programmed to handle four-digit years or only the last two digits?  As it turned out, there was no major disaster on New Year’s Day 2000 and many people claimed that the Y2K “bug” was over-hyped – a ploy by the IT industry to drive demand.  But was it?  What I saw in the years leading up to the year 2000 were organisations acting responsibly to test their software (or mandate that their suppliers did) so that the problem – which in many IT systems was all-too-real – was mitigated well before the big day.

So now we have GDPR, the EU General Data Protection Regulation, which comes into effect on the 25^th May 2018 – just 13 months away.  And once again, there’s a lot of hype about how all-encompassing the regulation is and how draconian the fines could be.  But if you take a look at GDPR, you’ll find that it’s not hype: the regulation is very comprehensive and those fines – up to €20m or 4% of global annual revenues – are pretty draconian!  What amazes me is that, unlike Y2K, I don’t see organisations mobilising in the same way to ensure they have mitigated the risk.  In fact, research conducted by Veritas shows that 54% of organisations haven’t even started preparing for GDPR yet.  And Gartner predicts that things won’t be much better even once the regulation has come into effect: 50% of companies that are affected by GDPR will not be in full compliance by the end of 2018.

What’s causing this lack of action?  I think it’s down to two things.  Firstly, while the arrival of 1^st Jan 2000 was assured, how the EU regulators will enforce the new regulations is much less certain.  While the penalties may be severe on paper, the risk in practice is unknown.  And secondly, organisations are struggling to interpret the regulation and determine what concrete actions they need to take in order to be compliant.

Based on Veritas’ analysis of the GDPR requirements, there are five main points to bear in mind:

1. It doesn’t matter where your company is located or where the data is held, if you handle or store personal information about EU citizens or people living in the EU, you need to be compliant with GDPR.

2. You are accountable for the personal data that you hold and you must be able to demonstrate that you have the right governance processes in place to be compliance with the regulation.

3. Individuals have the “right to be forgotten” – the right to request the deletion or removal of personal data when there is no compelling reason for its continued existence.  And in order to be able to comply with this, you need to be able to find all the information you hold about them on demand, so that you can either delete it or prove there is a compelling reason to keep it.

4. No more data hoarding – personal data may not be kept for longer than is necessary for the purpose for which it was obtained.

5. If you have a security breach that results in the loss of personal data, you must report it to the relevant supervisory body within 72 hours of becoming aware of it.

Those are the main tenets of the regulation – but just what should organisations be doing to become compliant?  Veritas has identified five capabilities that you should ensure are in place:

Veritas GDPR Wheel

1. Locate – The critical first step in complying with GDPR is gaining a holistic understanding of where all the personal data held by your organisation is located.  Building a data map of where this information is being stored, who has access to it, how long it is being retained, and where it is being moved is critical to understanding how your enterprise is processing and managing personal data.
   
   
2. Search – Residents of the EU can now request visibility into all of the personal data held on them by submitting a Subject Access Request (SAR). They can also request that the data be corrected (if factually incorrect), ported (to a suitable export format) or deleted.  Ensuring that your organisation can undertake and service these requests in a timely manner is critical to avoiding GDPR penalties.
   
   

3. Minimise – Data minimisation, one of the main tenets of GDPR, is designed to ensure that organisations reduce the overall amount of stored personal data. This is done by only keeping personal data for the period of time directly related to the original intended purpose.  The deployment and enforcement of retention policies that automatically expire data over time establishes the cornerstone of your GDPR strategy.
   
   

4. Protect – Under GDPR, organisations have a general obligation to implement technical and organisational measures to show they have considered and integrated data protection into all data collection and processing activities.
                                                                                                                                                     

5. Monitor – GDPR introduces a duty on all organisations to report certain types of data breaches to the relevant supervisory authority, and in some cases to the individuals affected.  You should assure that you have capabilities in place to monitor for possible breach activity – such as unexpected or unusual file access patterns – and to quickly trigger reporting procedures.
   
   

If all organisations that are impacted by GDPR were to assure that they have these 5 basic capabilities implemented in their IT environments, we could be confident that 25^th May 2018 would have as little impact on them as Y2K turned out to have all those years ago.

What are your thoughts on GDPR?  Are you prepared?