Nowadays, on every management agenda the ubiquitous topic is data. The volume of data has increased exponentially, as data has become the crude oil of the 21st century. Not surprisingly that hype comes with a downside. Tougher regulations force companies to invest in their data management, making it resistant to data breaches and cyber-attacks. In this context GDPR has set the highest compliance standards. This brief article helps you to understand and overcome its basic challenges.
What exactly is GDPR about?
GDPR is the General Data Protection Regulation, affecting all companies processing personal data within the European Union (EU). Enacted on May 25th in 2018 by the EU, it strengthens and unifies data protection for all individuals within the EU. GDPR requirements impact data storage, processing, access, transfer and disclosure. It basically defines how to interact with data subjects and how to respond to different data-related requests and incidents (data subject requests, data protection authority requests, data breach incidents). Painful sanctions, 4% of annual global turnover or 20 million €, whichever is greater, drive companies to rethink their data compliance and data protection strategies. Another significant fact is, that GDPR is a principle-based regulation. Meaning companies need to evaluate to what extent they meet all requirements, based on their specific business model or industry. Subsequently the EU-regulation is not straightforward and cannot be answered with a one-fits-all-solution. An individual evaluation is necessary!
What are GDPR’s toughest challenges?
Keeping in mind the basic requirements, a closer look at your company’s data governance and data security is the first step. If you monitor data on a large scale, a data protection officer must be appointed. Another obstacle is to limit the access to personal data. Identifying individuals from sensitive data stored on-premises or in cloud is solely allowed to explicitly selected users, that e.g. could be involved in audits. Therefore, personal data must be pseudonymized or a governance concept for different access levels must be implemented
Figure 1: GDPR Pain Points
Several rights empower the owner of personal data, for instance:
- Subject access request à Data subject owner can demand to see the stored data, where it is stored, who has access to it, how long you plan to store it and even get a copy of it (your response must be within one month!)
- Right to be forgotten à Enterprises need to permanently delete all obtained data, if no reason for keeping it exists
- Data portability à Individuals have the right to ask companies to pass on their data to another processor, if they want to be in business with a competitor
- Notification of breaches à In case of a data breach, authorities and data owner need to be informed within 72 hours
These four examples are just the tip of the iceberg, but many questions already arise:
- What GDPR rules apply to my company?
- Which data is in scope of GDPR?
- How do we assign the relevant rules to the data in scope?
- Where is the data in scope stored across all different systems and applications?
- How is it possible to manage all data requests in such a short timeframe?
- How can I identify personal data of one person in a heterogenic landscape?
- Who is responsible in my organization for data requests or data breaches?
- How can we automate the retention and deletion of this process?
Eliminate risks with our proven framework
The combination of data, processes, governance and IT considers all challenges holistically. Our goal is to highly automate GDPR related requests and especially the effort to manually delete data.
Figure 2: Camelot high-level Framework to tackle GDPR challenges
First CAMELOT´s structured efficiency assessment can be conducted within 3-5 days, which results in a maturity measurement of different GDPR dimensions. A detailed evaluation follows, where exactly sensitive data is stored and what risk it imposes. Often companies lack a centralized view of storage locations, the possibility to quickly retrieve sensitive data and/or the automatic data removal across all systems and applications.
We specialize on establishing a solution that covers all GDPR challenges, regarding governance, processes, data and IT with a proven project approach. Other national retention- or internal compliance rules, depending on each business, can be considered. Including cross-functional experts (from IT, Legal, Tax, Audit, HR and other relevant functional departments) secures the gathering of all requirements and increases the likelihood of a successful project. In case you own an SAP NetWeaver license, the SAP-ILM Retention Management is freely available for you. With our expertise we can set-up and implement relevant retention and deletion rules, to highly automate the crucial step of deleting obsolete personal data
The enacted data regulation comes with several challenges and leaves enterprises with unanswered questions. CAMELOT as leading consultancy in Enterprise Information Management supports you, finding the best response. A quick efficiency assessment unveils the maturity of your GDPR readiness. Covering all dimensions with a combination of data in scope, data-subject-related-processes, a governance concept and a suitable IT-solution, we help you become GDPR compliant. Businesses need to leverage automation to tackle challenges associated with the increase of personal data and that is what we are aiming at. If you want to know more about how to enable GDPR compliance with an automated archiving and deletion of data, don’t hesitate to get in touch.
Link for further GDPR related information: https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
Further articles of the series:
Part I: How to manage information throughout its lifecycle
Part III: Precondition for Archiving: The Information Phase-out
