You may already be familiar with the GDPR. Indeed, you may be working right now on a compliance strategy to target the Regulation. Or maybe there’s still a lot of work to be done: research last year indicated that just 46 percent of organisations are highly conﬁdent that they’ll be ready by the implementation date and 88 percent report technological challenges.
Whatever your status, it’s time for urgent action.
Before examining ways to accelerate and ensure your GDPR compliance, let’s re-cap on what the EU Regulation involves. It puts the control of personal data stronger into the hands of the individual, giving them rights about how their data is accessed and how they can withdraw that access. Moreover, organisations will have to think strongly about how they gather data; and they will have to prove they are protecting data in the best way possible. The GDPR will also simplify the regulatory environment for business, harmonising the data protection approach regulations within the EU.
GDPR applies to any company that handles European users’ data, regardless where they are based in the world; and the definition of ‘personal data’ extends from basic personal contact data right the way through to pictures, IP addresses, biological, economic or social information.
There’s no hiding from the legislation either: It’s a stark case of comply or face the consequences. Non-compliance penalties could lead to fines of up to €20m or 4 percent of a company’s global annual turnover.
Make no mistake. The GDPR will impact almost every corner of the business: From the way personal data is collected and used, to how it is processed, stored, and transmitted to countries outside the EU.
What do organisations need to focus on?
As the May 2018 deadline approaches, these are just some of the key areas organisations need to focus on.
- New requirements: Organisations will need to put data protection at the centre of their information processes, including the execution of data protection impact assessments—appointing a data protection officer could also be a way to guide this overall process.
- New user rights: The GDPR demands increased transparency. For example, users can request the erasure of data from controllers (the ‘right to be forgotten’), the correction of errors, and the right to access data in structured formats so they can switch controllers. If a data breach occurs, users also need to be notified in certain cases.
- Technology strategy: Organisations will need to document and report on where their data is, how it is collected, how it is stored, and who can access it. For example, whenever personal data is used for testing, the testers need to ensure there is a legal ground to do so.
- Identity management: The GDPR supports calls for transparent, documented, and enforceable identity policies and tools surrounding authorisation and authentication to ensure traceability and increased security.
Five technology steps to accelerating GDPR compliance
The advent of the GDPR demands that organisations devote sufficient resources to risk management and compliance. And in particular to information technology. So how can technology help organisations accelerate their response to the legislation and become GDPR compliant?
Data management and discovery
The initial step is to discover personal data across your organisation and protect it from unauthorised access. By identifying and controlling personal data—at rest, in motion, and in use—organisations will be uniquely positioned to enforce the GDPR compliance.
Identity and access governance
Organisations need to centralise and govern user identity and manage access, especially in the case of privileged users. By automating this user management, organisations benefit from ‘who has access to what’ insights, higher user productivity and GDPR compliance.
Privileged access management and threat analytics
Under the terms of the GDPR, data controllers must report any data breach within 72 hours of the incident occurring. By managing privileged access, organisations can more easily protect privileged activities and enforce data breach detection and notification.
Test data management and synthetic data generation
Test data management (TDM) is the process of providing, distributing, and managing test data for development teams—and TDM takes on more urgency as the GDPR deadline looms. Robust and efficient TDM practices are key to overcoming compliance hurdles and avoiding the penalties associated with the GDPR. By using synthetic data, organisations will avoid the pitfalls associated with masking production data.
API management is the foundation for a future-proof GDPR-compliant architecture. It enables organisations to quickly and easily adopt rules for gathering consent, and inform users about the regulations relating to data access and data portability.
When the EU GDPR legislation comes into force on 25 May 2018, it will give citizens back control over their personal data and simplify the regulatory environment for international business. Organisations need to review their data lifecycle and put in place rigorous and robust controls for the security and protection of data and how it’s used and accessed. By adopting the appropriate software solutions, and wrapping these around compliant processes, organisations can ensure GDPR compliance.
By Rob Coleman, CTO for UK&I at CA Technologies