A GLOBAL REGULATION
After four years of intense debate, scrutiny and political posturing, one of the most sweeping reforms to European data protection laws
is here in the form of the General Data Protection Regulation (GDPR). But its reach goes well beyond the borders of the member states –
it will be felt globally. All organizations use personal data, be they public or private, global finance or fashion retailer, and any entity that
stores or processes the personal data of an EU citizen will be obliged to conform to the new law, regardless of where they reside. No
other ruling comes close to the scale of the GDPR.
Its aim is to harmonize and refresh laws that have been in place for over 20 years and bring power and control back to the citizen of their
personal data, which in our modern digital world is vital to the global economy. There are many parts to the ruling and non-compliance
will be dealt with by heavy financial penalties - ripple effects that could affect brand integrity and reputation.
The change is needed. Regional data privacy outside of Europe has for many years taken on a sectorized and vertical approach in
businesses like Telecommunications, which has hampered integration with other industries where data plays an intrinsic role, The GDPR
is taking the right approach to the protection of privacy with a more horizontal view, across all sectors and geographies.
IT’S ABOUT DATA
With data at the core of the way modern businesses operate, the form,
function and location of it needs to be prioritized. Structured and semi-
structured data, residing in databases and transactional systems are
self-governing by the nature of their management tools and software. The
biggest concern resides in unstructured data which organizations globally
have been collecting, storing and hoarding for many years, populated
on a multitude of filers, SAN’s, proprietary tape systems and now more
prevalently in cloud repositories. Unstructured data is set to be 79% of
all stored business data by 2017.1
Technology and collaboration systems have accelerated in performance
and scale and allowed us to expand beyond our own ability to control
good behavior and governance in what we chose to store or delete. This
has lead to us treating our corporate systems as dumping grounds for
untagged, unclassified, duplicate and eventually forgotten data which becomes orphaned, stale and at worst – dark. In two recent
reports produced by Veritas2
, 52% of data stored by organizations was considered dark and 41% of business
data held in the backup environment had not been touched in over 3 years, and 12% not accessed in over 7 years. With the average
number of files at 2.3 billion per Petabyte and growing at 39% each year, the risk of holding unnecessary, redundant and potentially
non-complaint data increases exponentially.
THE GENERAL DATA
LET THE DATA PRIVACY REVOLUTIONS
WORK FOR YOU
1. IDC 2014. http://www.idc.com/research/viewtoc.jsp?containerId=247106
2. Veritas Global Databerg Report and Data Genomics Index
NEW COMPLIANCE OBLIGATIONS
There are a myriad of new rules and requirements that need to be considered, covering wide ranging areas such as transparency and
breach disclosure, privacy by design, privacy impact assessments and how organizations obtain consent to use personal data. This will
challenge all departments involved and the systems that service them. From IT to Marketing to HR, teams that work with customer data
and external agencies need to be mindful of the flow and ownership of data and who is ultimately the controller or processor.
But the enhanced rights given to citizens over their personal data is set to become a real focus in the ability for them to demand the
right to be forgotten and portability around their data.
Structured and semi-structured data by their embedded management
tools go some way to respond to this. However, for the sea of
unstructured data, IT departments and business functions need to
design their approach to one of the Ability to be Found, using tools to
bring visibility, insight and order to those billions of files and make faster
decisions on what should be extracted for value, retained for
compliance and searched for discovery in the event of regulatory inquiry
or access request.
It will not be enough to be compliant by accident and records
management, policy and processes will need to be modernized and
documented to encompass the breadth of where and what comprises
personal data to be removed under request. Former employees photos
would seem obvious, and their expenses may need to be kept for legal obligation of financial reporting. But what about tweets put out
by the company referencing the former employees? This is where organizations have to take reasonable steps to inform controllers that
a data subject has requested the erasure.
LEGACYAND BIG DATA
Applying these rules as data is collected or created in real time is a task that could be considered practical to apply, but many
companies have a ball and chain around their IT neck – their legacy data. A vast amorphous lump of unstructured data that they refuse
to let go of, held on assumptions that it must contain value to be extracted at some point in the future or ingested into a Big Data engine
to deliver trends or reveal hidden marketing secrets. The reality is much of it is human created ROT – redundant, obsolete or trivial data
that should have been eliminated a long time ago, Instead it has been migrated, archived or retained, often losing ownership or critical
information around it’s original value or purpose – while still potentially containing data now deemed personally identifiable. Under the
new rules, that blanket approach is no longer acceptable as any retention period must be both necessary and proportionate to the
purpose under which it was collected.
In the case of a merger, acquisition or takeover, where great care and due diligence is taken over the past and potential future financial
health of a business, it will become equally important to consider a review of the data within the business and it’s hygiene to ensure no
hidden ‘Trojan horses’ breach the new regulations, simply because their existence was not known. Another major consideration that the
GDPR brings is giving regulators considerable powers to impose huge financial penalties for non-compliance, with a maximum
4% of global turnover. This could run to the tens of millions of dollars, pounds or euros for serious cases, a huge risk for
businesses to consider.