Where We’re at in a Post-GDPR World
Assessing GDPR Readiness and Risk Post Effective Date
The General Data Protection Regulation (GDPR) has taken effect in the Europe Union (EU). GDPR is a more unified and elaborate data protection regulation with increased extraterritorial reach compared to its predecessor, Data Protection Directive 95/46/EC. The new regulation applies to any organization that is based in or does business with anyone living in the EU. Now that it has taken effect, we thought it would be an appropriate time to gauge its immediate impact.
What Effect has GDPR had Thus Far?
With GDPR, the penalties for noncompliance are steep. Fines can be up to 4 percent of an organization’s worldwide revenue. Due to the risk, some American media companies have completely halted site traffic from European based readers. A recent article from CSO Online states, “Newspapers such as the Los Angeles Times and Chicago Tribune stopped allowing European readers access to their sites to avoid risk. Tronc, the company that owns these and other newspapers, has decided to block all European readers rather than risk being found noncompliant with GDPR and face huge financial penalties.”
Topix, another American media company, is also barring some traffic from the EU. According to a Digiday article, Topix CEO Chris Tolles explains that EU visitors can no longer access the news or forum sections of the website because they have been deemed especially vulnerable. The article quotes Tolles as saying, “Right now, I just don’t understand what my risks are. It just behooved me to wait till the regulators figure out what to do. Europe isn’t a big enough market.”
The reasons for uncertainty among organizations are twofold. From an external perspective, many are waiting to see how strictly regulators enforce the law and how aggressive they may be in doling out penalties. The actions companies take will likely depend on whether the rewards of the EU business outweigh the potential risks. From an internal perspective, organizations don’t know what their risks are because they have so much personal dark data lurking in their data environments that it’s difficult to identify, classify and document the information. If an organization doesn’t know where personal data is stored, how it’s used, who is using it and who is responsible for it, becoming GDPR compliant is impossible. However, with a comprehensive data governance program and the right technologies, these organizations can address the most pressing challenges of GDPR. The most critical of these include questions such as, out of hundreds or maybe thousands of different processes and systems, which ones are GDPR compliant? More importantly, what methods or systems are not compliant and how to bring those processes and systems into compliance? And finally, how can we proactively identify hidden personal data across the enterprise to assure GDPR compliance?
Assessing GDPR Readiness and Risk After the Deadline
Conforming to GDPR requires an agile solution with a multitude of capabilities and an overarching data governance program. The solution suite should include data governance, data quality, and analytics capabilities that work in concert to enable better control over data and ensure ongoing compliance.
An effective GDPR solution must bridge the needs of both IT and the business by not only providing the compliance foundation required by the regulation, but also a data governance framework that enables easy access, usage, and ongoing adherence among users. This includes establishing a business glossary, the documentation of data’s location, processing purpose and legal basis, as well as usage approvals and access authorizations. It should consist of highly configurable interfaces, self-service dashboards and easily navigable workflows for organizations to streamline GDPR compliance methods and procedures spanning all systems and business processes. This centralized approach enables compliance collaboration across an entire enterprise and alerts the right people at the right time to potential compliance issues.
The solution should also engender trust in an organization’s data quality efforts and the policies and processes they implement. By verifying the accuracy and completeness of personal data, organizations can process and reconcile it against multiple sources, systems, and usage facilitating data analysis, and supporting true compliance automation. In addition, analytical capabilities can create machine-learning algorithms to find hidden personal data across an enterprise, identify compliance gaps and visualize personal data usage and storage.
These combined capabilities not only provide critical elements for a daily snapshot of the compliance landscape, but also provide the reporting needed for internal and external GDPR audits in an increasingly complex technical landscape. By building a customized data governance program, brick by brick, and adding a comprehensive solution suite, organizations will have a comprehensive GDPR solution built for today and the future.
If you would like to learn more about GDPR compliance and data governance, download this white paper:Download the White Paper