The GDPR flood: more significant than the Millennium bug?

As EU GDPR approaches Information Age wanted to learn what businesses are doing to prepare and what solutions are available to those businesses

GDPR presents a host of problems for organisations, but also an opportunity

'The biggest current challenge facing organisations is understanding how big the risk really is: where is that data, what is that data?. Once they can do that they can start to look at solutions to mask and anonymise that data at source'

Implementing General Data Protection Regulation (GDPR) is the biggest challenge facing businesses across every industry.

This will affect businesses whether they are based in Europe or not. It is a global challenge that must be risen to.

Despite the heavy news coverage and obvious financial threats it poses to an organisation, recent interviews with Information Age (IA) have revealed a fairly relaxed stance surrounding the impending regulation.

This is perplexing given the vast number of requirements necessary to comply with GDPR combined with the crippling fines should a company fail to comply.

To explore GDPR’s wider implications for implementation and data governance, as well as the solutions Information Age spoke to Jes Breslaw, EMEA marketing director for Delphix and Dharmesh Pancholi, business analyst/technical PM at Sony to establish what exactly are the challenges does GDPR pose and what are the viable solutions to ensure compliance.

>See also: GDPR and 3 steps to achieve better compliance

Delphix provides data virtualisation and data masking solutions so Breslaw was well placed to discuss the scope of the new regulation, while Sony via Pancholi provided a great case study as an enterprise facing GDPR.

The challenges

Complying with the sheer number of requirements outlined within GDPR is a significant challenge.

Organisations will have to know where all their data is and what it is. This data can be produced from a variety of formats, as Breslaw explained to Information Age.

“I think the first challenge is that most companies when they think about their data, they think about their production data. They don’t think about their non-production data.”

“By non-production data, I mean the data used for developing and testing applications, for reporting, for compliance, for analytics. All of that exists as copies, and exists all over the company.”

“For big companies that’s out of control. There is no single view of where that data is and how secure that data actually is.”

When you then start to think about outsourcers or third parties working on that data as well, it presents a huge challenge to companies.

Getting ready for this data treasure hunt should now be a top priority for organisations, if it is not already.

Pancholi told Information that at Sony they are already “gathering technical individuals whom are one way or another linked to the organisations data, in order to ensure GDPR compliance is met on time.

>See also: GDPR still stands for UK businesses

Every organisation is different, but the need to get GDPR-ready is the same.

This starts with the first hurdle, understanding the risk.

According to Breslaw, the biggest current challenge facing organisations is understanding how big the risk really is: “where is that data, what is that data?”.

“Once they can do that they can start to look at solutions to mask and anonymise that data at source.”

GDPR compliance

In order to successfully comply with GDPR organisations must know where their data is, know what that data is, and secure that data way beyond the current data protection systems.

There are data breaches everyday.

In order to protect data sufficiently organisations will have to mask their data.
Data masking is nothing new, it has been around for years.

Breslaw told Information Age, however, that “there was an analyst from Gartner who said that 80% of the problem with masking isn’t the masking itself, it’s the delivery of that masked data.”

“If you imagine a big bank with 7,000 applications, every 1 of those 7,000 has to be masked.”

“It’s an impossible task because you need to spend money and time on every single one of those applications, taking the data, setting a policy up, anonymising that data and once you’ve used that data once or get a new live copy you’ve got to go through that process again.”

“It’s actually impossible for companies to do.”

GDPR solution

For businesses, like Sony, this statement may be slightly disheartening.

Not only do they have to get over the initial big challenge of identifying all their data, but once identified the traditional method of protecting that data doesn’t cut it, according to Breslaw.

He does, however, provide a solution that Delphix offers.

>See also: GDPR: The catalyst for a global digital transformation

“Rather than masking data at the destination, i.e. each application, Delphix takes a single live copy of a company’s data.”

By masking that copy the preceding masking of virtualised copies and virtualised databases (that can be delivered anywhere) becomes an automated process.

“It brings automation to what is a very complex, expensive and time consuming process.”

However, ‘simply’ implementing, or complying with GDPR is not enough.

The new regulation will have a significant impact on other aspects of organisations’ data governance strategy.

GDPR and data governance strategy

Implementing GDPR will be part of a wider data governance strategy.

At Sony, Pancholi told Information Age data governance is an ongoing task where we regularly inspect, validate, and optimise data.

“However,” he notes, “it is still a laborious, time and resource consuming task.”

Post-GDPR data governance will change and at the front of it will be a chief data protection officer (CDPO)

This person will own a company’s data protection, and for those big enterprises out there it is a requirement of GDPR. There is no wiggle room.

Effectively this CDPO’s job is to identify weak spots in a company and report them. They are immune to whistleblowing.

So, even the Sony’s “stringent” data governance strategy will be shaken up.

This is perhaps for the better, as failure to comply or exposure from the new CDPO will result in crippling fines for an organisation.

Fines

The fines post-GDPR will be significantly higher than those incurred under current data protection laws.

4% of global revenue is at risk.

>See also: Getting your records GDPR-ready: a six-step guide

Looking at the TalkTalk incident as an example. It was fined £400,000.

After GDPR it would have been £70 million.

Despite this, some organisations according to Breslaw are going to go down this route and incur this massive sum.

He does acknowledge that the flip side of this is that organisations are going to invest a small sum of global revenue “in upgrading data protection and data security, and whilst they are doing that we will use it as an opportunity to modernise our systems.”

The Millennium Bug

In this regard GDPR can be tied quite closely to the Millennium Bug.

Before the Millennium Bug everyone was scared about this thing coming and they made lots of changes to their system and used it as an opportunity to modernise their systems.

“There will be more money invested in GDPR than there was in the Millennium Bug,” said Breslaw.

“Data governance is coming to a head, where companies are going to be forced to have, from the top down, a data protection policy that seeks to put people process and tools in place to deal with this.”

Time is of the essence

At the start of this feature it was made clear that some companies interviewed by Information Age have taken a fairly relaxed stance to GDPR.

This is predominantly a result of how far the regulation is away.

>See also: GDPR: Out with the old in with the EU

The deadline for GDPR is the 25th May 2018, but companies need to start thinking about budgeting now, according to Breslaw, for going through the auditing and the process and business change to do next year.

“It’s a really important right now, because companies that don’t plan now won’t have the things in place next year and will be at risk come 2018.”

Comments (1)

privacycheq

This article is accurate as far as the data responsibilities of enterprises that are endeavoring to comply with GDPR, but it leaves out the fact that GDPR requires numerous operational changes - for one thing, the principles of "Privacy by Default" and 'Privacy by Design' must be adopted. Secondly, GDPR requires data subjects to be given a host of new options that will require changes to web sites and mobile apps. Before any PII can be captured, the data subjects must be given an understandable notice that explains what will be captured, how it will be stores, who it will be shared with, how they can see it, how they can revoke their consent, and how they can be notified in the event of a breach.

The IT effort required to operationalize these GDPR responsibilities is generally not understood. Dashboards have to be created for data subjects, DPOs, data processors (third parties like ad networks), regulatory reporting, consent management, and "Subject Access Requests" - users being able to see their data easily. PrivacyCheq has created a SaaS GDPR toolkit that provides all of these complex user interactions and regulatory reporting capabilities.