25th May 2018. The day GDPR becomes a reality. And with it comes a fundamental change to the way that we manage and distribute data. As everyone knows by now, it is not a ‘nice to take notice of’ initiative; it is a ‘must comply with’ piece of legislation. But here’s the challenge; because it is such a significant shift in the way that any business that has data at its heart operates (and which business today doesn’t rely on data for all it does?), the challenge to comply is seemingly formidable. As a result, many businesses appear stuck in ‘analysis paralysis’, incapable of implementing simple strategies to meet the GDPR challenge. How can you break through that paralysis? How can you get started on the path to compliance? In short, where do you start?
Let’s, for a second, remind ourselves of the driver behind the introduction of GDPR in the first place. It’s really, at the most foundational level, about stopping the misuse of personal data by organisations who may be tempted to use that data to engage in intrusive, unwanted marketing activities. We have all suffered such targeting and we all know how annoying it is. So, one of the key tenets of GDPR will be that it requires organisations to prove that any data they are holding on anyone is necessary to the running of their business, rather than being held for the kind of marketing activities I’ve just outlined. Within every business, there are obviously many different and disparate data streams making it tough to create an easily auditable view of the data and, therefore in turn, prove why it is essential to the running of the business.
To give you an example, let’s imagine you are a retailer and it is found that, at the point of purchase, the till is scanning the colour of peoples’ eyes as they pay. You’d have to explain why you were doing that. Perhaps you are an optician and have a legitimate reason for capturing this data, as it helps you provide better aftercare to your customers. Or perhaps you were planning on earning some money on the side by selling that data to third-party companies (eg: people with green eyes are most likely to buy chocolate). But even if your reasons are entirely honourable, as per the optician example, you still need to be able to explain your data processes downstream from the till to ensure that, if you were checked, you did indeed comply with GDPR.
And that, my friends, is one time-consuming task.
Moving forwards, data will have to be both identifiable and auditable, which sounds daunting, but there are products out there that can help and automation software is a good place to begin your search. On a proactive basis, data infrastructure automation software can go off and discover data areas and tag areas of concern. It can be used to map out all data systems within the organisations, providing a really effective means of auditing and cataloguing data. And on a reactive basis, if ever you are asked to prove anything about a particular piece of data, or to pull multiple trails together quickly for an export request, again, data infrastructure automation software can supply a full lineage of that data trail. With the ability to define an extract that pulls together all data related to a particular person from all areas across the business in less than 30 days, there is no need for the user to build these extractors in advance, and they can be re-used the next time someone asks.
Even better, when capabilities like these are combined, data infrastructure automation software can retrospectively go out and catalog all of your data, and easily enable complex data extraction. Building new analytics capability within your organisation with automation software – such as WhereScape – can help you rapidly ensure your compliance with GDPR requirements.
Complying with GDPR represents significant challenges to all businesses. But the first, and most important step is to quickly get to a point where you can both identify and audit your data. From here, the roadmap to GDPR compliance will suddenly look a lot clearer.
By Rob Mellor, VP GM EMEA, WhereScape
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.