The current data protection laws in the EU date back to a Directive adopted in 1995, when the web boasted all of 23,500 websites. Nobody but a small community of IT visionaries saw anything like social media, cloud computing, or big data on the map; and few people had mobile phones.
We are witnessing a digital revolution that permeates every aspect of life. We communicate, consume, and transfer data, and every move leaves a trace in cyber space. Some businesses have even developed pricing schemes for insurance premiums based on big data analyses that use apps to record aspects of our everyday behaviour that affect insurance risks, such as living a healthy lifestyle and driving carefully.
The EU’s inelegantly named General Data Protection Regulation (GDPR) aims to catapult data protection into the era of big data and cloud computing, ensuring that data protection as a fundamental basic right is regulated uniformly and consistently throughout Europe. This creates a reliable legal framework for companies to operate in. Any company that handles European customers and their data will have to abide by this law: even companies based and handling that personal data outside Europe.
Clear regulation with fines for violations
Organisations will need to curb their hunger for data, only collecting what they actually need for the specific purpose approved by the data subject. These principles will result in a series of obligations for any company handling personal data from EU citizens, which are:
- Privacy by design” and “privacy by default” are being enforced and must be built into the way data is collected and managed. The controller must implement appropriate technical and organisational measures. Also, wherever consent from the citizen is required for data to be processed, his consent must be given actively by an action or statement rather than assumed.
- The “Right to be forgotten” will help people better manage data protection risks online. For example, a user could request to have his or her Facebook profile removed. Data controllers will be responsible to take all reasonable steps to inform third parties that are processing the data that the subject requests them to erase any links to or copy of that data.
- With the “data portability” in the GDPR, users will also have easier access to their own data and be able to transfer personal data from one service provider to another more easily. The right to data portability is primarily aimed at social media platforms, but would apply to all controllers and is likely to place a significant burden on them.
Collected data falls into either structured or unstructured categories. Different challenges are posed depending on which category it falls into. For instance, structured data collected via a smartphone that tracks a particular user’s location is probably easy to locate and delete. On the other hand, data containing customer information that is collected from unstructured files, such as emails and attachments, instant messages, or other loose files, make it nearly impossible for companies to comply with GDPR.
The GDPR places accountability obligations on data controllers to demonstrate their compliance. This includes requiring them to maintain certain documentation, conduct a data protection impact assessment for riskier processing, and implement data protection by design and by default.
Companies will have to comply with these obligations by May 2018 at the latest. Fines have been set at a maximum of 4 per cent of global turnover in the previous financial year, or €20 million for major violations, whichever is the greater. So, a decision to sit the issue out may come at a price.
Pressure from dark data
IT departments will obviously need to adapt existing data protection processes and policies to the new legal situation. Ultimately a coherent compliance strategy will require a collaborative dialogue between the IT department and compliance teams.
A clear strategy in relation to structured data may be relatively easy to concoct and implement, but the approach to the management of unstructured data – dark data – will be more problematic, and the IT team may have to take the lead in solving this problem. Compliance audits may leave the risks hidden, as nobody knows exactly what data has accumulated in this uncontrolled heap that, according to the IDC, grows by a massive 62% a year. This problem is likely to continue growing until IT departments start shedding some light into this dark data. According to the recent “Global Databerg Report”, produced by Veritas, IT leaders believe only 45% of their data is tagged or classified, leaving 55% of their “Databerg” being not transparent. Companies are blind when it comes to understanding the content of half of their data. It is not possible to make a good judgement on the compliance risk associated with this dark data, as companies simply don`t know what is stored in the dark data.
Information contained in dark data needs to be identified and assessed without causing major disruptions in the infrastructure or IT processes. Veritas has collected and evaluated metadata already generated using archiving, backup, and storage-management solutions. This metadata can be used to make sense of the whole data heap. Eighty-six per cent of Fortune 500 companies already use one of these solutions. The information can be used to create an accurate map of the company’s information, even if the data is scattered across a variety of locations and repositories.
Knowledge behind data
This knowledge will not only help companies meet the new EU Regulation while improving risk control for reputation and turnover, but also give companies far easier access to what the IDC referred to in a paper published in 2014 as target-rich data. The analysis company defines target-rich data as the data that a company can extract the highest value from, as decided by five criteria that must be met: The data must be readily accessible in real time. Evaluating this data will have the greatest impact on customers and organisation. Intelligently analysing the data and the insights gained will provide the company or organisation with potential to make substantial improvements. A company’s information management already operating according to these criteria will not only be prepared for the new regulations in 2017, but will also have the right to find the important data in time and gain a competitive advantage from the new knowledge.
By David Moseley, global solutions manager at Veritas
Find out how to ensure that your company is fully prepared for the implementation of GDPR by attending the GDPR Conference Europe, designed to help businesses prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at www.gdprconference.eu