A large number of organizations are still unprepared for the General Data Protection Regulation. In a Veritas survey about GDPR readiness, 69% of respondents said they were still preparing for it. And, while the other 31% thought they were fully equipped, only 2% were truly compliant (Follow 100% of the GDPR requirements).
These dismal numbers are understandable. GDPR is a complex piece of legislation. It requires sweeping changes in terms of how companies do storage. But ignorance is no excuse, at least not in the eyes of regulators. Businesses can’t afford to overlook GDPR’s implications.
This is why Softchoice and Veritas recently conducted a webinar called “GDPR: Leveraging Insights to Action to Become GDPR-ready.” It offered a comprehensive view of why GDPR exists, and what enterprises should do about it.
Here’s a summary of some of the key points, so you can get up to speed.
Why Is GDPR Happening Now?
If you read the news, you know that data breaches are escalating. Equifax, Home Depot, and Target are only a few of the high-profile firms whose data vanished in the last few years. But that’s just the tip of the iceberg. According to research by Gemalto, 2017 saw 1700 data loss events, with 2.6 billion records lost. This represented a 369% year-on-year growth from 2016.
The general public is taking notice. Veritas reports that 92% of consumers are concerned about the protection of their data. 38% are pessimistic about how organizations are handling it. Moreover, 62% said they would stop doing business with a company that mishandled their records.
So, clearly, GDPR is a manifestation of public opinion. It’s a legal translation of what consumers want. It’s not just worth following because of the fines, although the fines are quite steep. (Up to 20 million Euros or 4% of worldwide annual revenue, whichever is higher.) It’s also a way to keep up with the marketplace, by catering to increasingly savvy users who demand real security. Even if you’re somehow completely avoiding the EU, data protection is good business.
What’s Actually in It?
Well, for one thing, GDPR contains a huge amount of legalese. Its articles aren’t easy reading, and there are 99 of them, which is a somewhat intimidating number. But it’s actually not quite as complex as it seems. According to Veritas, GDPR’s mandate breaks down into four basic directives, each of which is simple to understand, if not to execute.
First, GDPR requires accountability and governance. Enterprises have to be able to show regulators that they’re engaging in responsible data protection. This means creating documentation of all the relevant procedures, as well as making their operation as transparent as possible.
Second, companies need to stop hoarding data. Before GDPR, enterprise generally had a “store everything” attitude. Businesses with this mentality accommodated new user data simply by buying more storage. They didn’t stop to wonder if the old data was disposable. This became even more true with the advent of big data. Companies wondering whether a random piece of information, plugged into an algorithm, could be the key to commercial gain. But, as a result, companies ended up with large bodies of poorly-managed data. Generally, this means increased exposure risk.
Third, breach notification has to happen a lot faster. Generally, before GDPR, companies waited from six months to a year before notifying authorities and users of a breach. Now, that time has shrunk to 72 hours. This requires vigilance. Companies need to be able to quickly spot any unusual activity, and decide whether it’s a sign of a reportable incident.
Fourth, companies need to honor their customers’ rights. Under GDPR, users are entitled to demand access to their data. Once granted access, users can request modification or deletion, assuming that there’s no good reason for the data to need saving. This needs to happen within a 30-day window.
How Do We Do That?
In addressing these four mandates, Veritas simplifies GDPR compliance by reducing it to five key actions. If executed fully, they can prepare any enterprise. Veritas calls this 360º Data Management. In their model, the five steps are: locate, search, minimize, protect, and monitor.
- Locating means understanding exactly where user data resides and having smart indexing for it. Enterprises need to contain information with an easily organized system, rather than amassing an unwieldy, unstructured pile of exposable records.
- Searching means having advanced tools that allow enterprises to comb through this system at a moment’s notice, and find any data needed, no matter how obscure. Nobody knows which specific records will be requested by users or regulators.
- Minimizing is all about abandoning the data hoarder approach. Proper minimization involves good classification. Enterprises need to know whether they’re looking at valuable intellectual property, or just old ones and zeroes. Moreover, there must be firm policies about getting rid of useless information.
- Protecting doesn’t just imply being secure. It also entails a transparent approach to security, enabling a thorough accounting of any part of the system. Regulators might want to know exactly how a specific piece of data is being shielded, and where it’s flowing to.
- Monitoring is vital. Enterprises have to detect abnormal activity as early as possible and analyze it quickly. After all, it’s not always clear whether an unusual pattern of access indicates a breach, but under GDPR, companies have to make that decision almost immediately.
This isn’t easy. But it’s a comprehensive roadmap that clears up the confusion. Like anything, GDPR compliance is easier to execute when it’s distilled into a high-level plan, rather than a gigantic list of individual tasks.