The €20 million challenge: how to comply with GDPR and minimise business risks
How can an organisation modernise data governance and can regulation be seen as an opportunity to increase productivity by optimising data handling practices?
The speculation and uncertainty is over; the EU General Data Protection Regulation (GDPR) has been agreed and is set to come into force in 2018, governing how enterprises handle their customers' data.
Even in the UK, where Brexit has cast the shadow of doubt across the applicability of EU law for British organisations, the consensus is that they must still comply with GDPR if they intend to do business with Europe.
A failure to do so will expose organisations to the risk of fines of up to €20 million, or 4% of their global turnover - whichever is greater, providing a fairly hefty stick to motivate organisations towards compliance.
Unfortunately, compliance won't be easy, and many business initiatives have been thrown into doubt over the data governance challenges GDPR introduces.
Namely, enterprises must track all instances of customer data, obtain the individual's consent to use their data and document the measures in place to manage that process for auditors.
This presents a challenge for several reasons. First, the amount of data being collected is rocketing, so there's more to manage. Second, the shift to Agile and DevOps has also increased the pace of change, whilst new digital technologies such as mobile, and the use of outsourcers to accelerate their delivery is adding to IT complexity.
As a result, it's much more difficult to keep track of customer data at a time when that control has never been more important. So how can organisations stay on the right side of EU regulators without putting the brakes on their digital transformations?
Take the analytics to your data
Data analytics projects will be a particular challenge when it comes to GDPR compliance. In recent years, companies have been collecting more and more information to gain a greater understanding of their customers.
Nine in ten organisations say this is critical to achieving business goals, so it would be counterproductive to just stop collecting it; and having the data isn't a problem in itself.
However, what does cause an issue is that data is often moved between multiple systems during the analytics process, elevating the risk of compromise.
This is a relatively simple issue to solve, as the majority of customer data in large enterprises resides on the mainframe. Given that this platform is highly secure, scalable and reliable, organisations should just take the analytics to the data and conduct it on the mainframe, rather than transferring it to a third-party cloud, or another internal server.
This significantly reduces the risk of a data breach, which could result in a costly fine through the GDPR.
Get your data under control
The next thing to look at is combatting the complexity that has encroached into IT systems as a result of digital transformation. One of the major challenges with GDPR is the right to be forgotten mandate, which forces organisations to delete a customer's data on request.
Before they can delete it, organisations first have to find the data, which is easier said than done in the complex rabbit warren of databases underpinning digital ecosystems.
So much so that nearly a third of CIOs admit they couldn't guarantee they could find every copy of a customer's data; let alone delete it.
For many organisations, mainframes act as a central repository for data, so in theory this should be an easy task; it's all in the same place, so they just need to look it up and delete it.
However, the reality is different, because modern IT teams lack the experience of working on the mainframe, so identifying and extracting information isn't easy.
One customer's information may have been replicated into multiple databases, so finding every instance is another challenge.
The only way of overcoming this is to give IT teams an intuitive way of visualising the relationships between datasets on the mainframe, so they can easily extract all of one customer's data and delete it, without specialist skills.
Get permission to use your data
Another potential sting in the tail of the GDPR is the requirement to have explicit consent from customers before using their data for purposes beyond those it was collected for.
For example, many organisations use customer data to test applications, to ensure new digital services work as expected once launched. However, research shows just one in five organisations actively seeks explicit consent before using data for additional purposes, like testing.
Worse still, many outsource application development to third-parties and share customer data with their partners for testing, leaving them doubly at odds with GDPR.
It may not be realistic to ask customers for their explicit consent for every use-case the organisation wants to use their data in. As well as being a logistical challenge, there's a risk of annoying customers by asking a similar question multiple times, hence why many currently just ask for broad permission covering a range of activities.
However, that won't be acceptable once GDPR comes into force, so organisations need a new approach, or face the consequences. This burden can be removed with an effective test data privacy strategy.
If organisations mask customer data to ensure it cannot be used to identify an individual, they can still use it for a huge range of activities, such as testing, without needing customer consent.
Seeing an opportunity in the challenge
The GDPR clearly creates a number of risks that organisations must consider if they are to avoid the consequences of non-compliance. By modernising their approach to data management, much of that risk can be diminished. Furthermore, whilst it might seem like a burden, this also presents a major opportunity for businesses to increase productivity by optimising data handling practices.
As well as supporting compliance with GDPR, modernised approaches can help to reduce the man-hours needed to handle data collection and management, leaving IT teams free to concentrate on analytics and innovation; creating a win-win scenario for both organisations and their customers.
Sourced by Dr Elizabeth Maxwell, technical director, EMEA, Compuware