GDPR: Prepare Now to Avoid Harsh Fines for Non-Compliance

Patrick EganMarch 23, 2017

The Clock is Ticking

Whether you’re an EU organization or a Non-EU company doing business with EU citizens, the General Data Protection Regulations (GDPR) act applies to you. A proactive approach today can help your organization become more educated, aligned and ultimately comply with this far reaching EU regulation.

With the May 2018 deadline rapidly approaching, many organizations have limited knowledge of the regulation, its impact and the staggering penalties for non-compliance. In the past, some organizations would consider paying a fine as the cheaper option, but with fines as high as 20 Million Euro or 4% of annual revenue for a first offense, this option is clearly off the table. The time to act is now to avoid a bigger crisis management event or significant financial burdens further down the road.

GDPR is non-industry specific and is being put in place to protect the personal data of individuals living within the EU. The goals include lessening or eliminating the vulnerabilities of identity theft, and to empower individuals with knowledge about how and where their personal data is being collected, for what purpose, and to direct how and where their personal information can be used. You can find more details about GDPR here.

Am I Affected?

Any organization transacting with an EU citizen must be prepared for GDPR. Currently, this pertains to traditional industries such as mobile phone carriers within the telecom field, but according to IT Pro UK, the EU wants to extend those regulations beyond traditional telecom carriers and include online messaging platforms like Gmail and WhatsApp. The author stated, “The changes would extend rules that currently only apply to telecommunications to web-based messaging services, closing a regulatory gap between traditional telecoms services and relatively newer players, such as Snapchat and Facebook.” This extension would now include social media usernames, cookies, IP addresses and a deluge of additional digital information that can uniquely and accurately identify and/or locate an individual.

So what does all of this mean? When implemented, all people and businesses in the EU will have the same level of protection for all their electronic communications, not just mobile phone communications. That means it is important for nontraditional telecom providers to understand what they need to do to ensure that all of their customer data is identified, understood, classified and protected.

Protecting Data

When it comes to protecting data, people typically think in terms of firewalls and endpoint protection, but what isn’t mentioned as often is data governance, analytics, and validating data accuracy. Data governance and data controls should be your strategic tool that acts as your early warning system on internal business processes to indicate data anomalies and compliance violations.

Conducting automated data checks on data reasonability (out of range), data conformity, and data accuracy are methods to address data quality and detect unusual activity that can be flagged as abnormal. There is often a trail leading up to an incident where your data has been compromised and data controls are one additional layer of defense beyond traditional firewalls and data security.

Another layer of defense is data governance. GDPR-related obligations give individuals power over their own data and require businesses to actively manage, secure, and govern data throughout its life-cycle.  Once personal data has been confirmed for quality, there is a very simple framework that can help address data governance needs. At a very high level:

  1. Know Your Data: This key prerequisite to moving forward revolves around the identification and classification of the inventory of personal data that an organization has inventoried.
  2. Data Lineage: Understanding how and where data enters your organization and the various storage and integration points that the data flows through.

Protecting personal data will help companies with their GDPR obligations. It may seem like a burden to many at first, however, having a firm understanding of enterprise data, its source, usage and retention is considered a best practice and in many industries a competitive advantage. As companies embark on their data governance journey, GDPR can be a great driver for the change in culture, operational process and transparency that’s needed for effective governance.

But now we need a solution that can put data controls in place and conduct automated data checks as part of a data governance solution.

The Solution

 A data integrity suite leverages end-to-end data controls and provides transparency to meet information privacy and security compliance standards. Using the right set of solutions, organizations can ensure integrity from source system to any destination, profile and identify critical data, as well as classify, document and govern their most important data assets.