Get a Grip on Your Data Before GDPR Goes Live
We’ve been living the Wild West stage of big data the last few years, where data is flying all over the place and basically anything goes. Thanks to a new European law called the General Data Protection Regulation that goes into effect 18 months from now, companies all over the world will need tight to have security controls on sensitive customer data, or face big fines.
The GDPR, which has been called “PCI on steroids,” was passed by the European Commission passed earlier this year to give European citizens more control over how companies and other organizations store and use their personal data. The law, which goes into effect May 25, 2018 includes several provisions that will impact any group that stores data about European citizens, including American companies.
The basic thrust of GDPR is that organizations must get the consent of European citizens before using their data. And once they have received consent, they must protect it from falling into the wrong hands, such as with a data breach. Encryption and data masking are encouraged.
In this manner, GDPR is not much different than what PCI did for credit card numbers or what HIPAA did for personal healthcare information (PHI) here in the U.S. The catch with GDPR is that the definition of “personal data” is so broad that it could mean just about anything. It’s not only names and addresses, but Facebook and Twitter handles, and email addresses and phone numbers.
But the GDPR goes much further than PCI or HIPAA. At any time, a citizen can ask a company or organization with whom it’s no longer doing business what data it has collected about that person. It can also ask the organization or company to delete all records holding personal information, and provide a report that proves that the information has been deleted. This is referred to as the “right to be forgotten” law.
Any violation of these laws can be met with a fine of 4% of the company’s global annual revenue or €20 million, whichever is greater. The law applies to any company, no matter what country they’re based in, that is collecting data about European citizens. In the U.S., there will likely be a government-backed commission that enforces the regulation on behalf of European Union.
No Awareness of GDPR
American companies may not be aware of GDPR, but that doesn’t change the fact that they must adhere to it soon, or face the consequences, says John Wethington of mysensitivedata.com. “There hasn’t been a whole lot of evangelism about GDPR, so a lot companies in the United States are in this mode where they’re not even sure if it affects them,” he says. “Unfortunately, the reality is that it does.”
More than 80% of respondents to a Dell-sponsored survey published this week say they know few details or nothing at all about GDPR. Nearly one in five respondents had never even heard of GDPR before, the survey showed. What’s more, GDPR was a mystery to many representatives for companies that are based in Europe.
“This survey reinforces the global lack of general understanding of GDPR, the scope of the regulation, and what organizations need to do to avoid stringent penalties,” says John Milburn, vice president and general manager for Dell One Identity Solutions. “Results also show that while some organizations ‘think’ they are prepared, they will be in for a rude awakening if they experience a breach or must face an audit and are subject to the consequences of non-compliance with GDPR.”
Just knowing where sensitive data exists is one of the big hurdles that companies face with GDPR. In fact, reconciling data silos is an on-going challenge for companies in general. It’s something that thwarts many data analytic projects, even before some regulator with orders from Brussels come looking for their bounty.
According to Wethington, surveys indicate that nine out of every 10 organizations can’t even locate their sensitive data. “They’re scrambling just to get a clear understanding of where their data is,” says Wethington, who before this week worked at a company called GroundLabs that provides data remediation tools.
The data is being replicated and duplicated and used in reports for marketing and accounting and operations, he says. “They literally have no sense of where it is,” he tells Datanami.
IRS Audit of Data
Complying with GDPR should be somewhat easier for big companies in the financial services, healthcare, and retail industries that have had to comply with data security regulations before. The datasets that must be protected are larger with GDPR, but the basic gist of the law–that data must be protected–is not that much different.
However, small and midsize firms in the U.S. that have so far escaped the wrath of PCI, SOX, HIPAA or other regulations are likely in for a shock with GDPR. Because the regulation applies to any company that has European customers, it will force them to take a hard look at their internal security controls, which is something they may have never done.
“It’s almost the equivalent of an IRS audit on your data,” says Wethington. “In the U.S., we’ve almost had loopholes, the due diligence clause that allows organization to say ‘Yes I’ve done all these things, but nobody could reasonable expect this to occur.’ So many organizations have historically gotten a pass.
“There is no due diligence clause in GPDR,” he continues. “There is no difference between those who try and fail and those who don’t simply don’t try at all and still fail.”
Companies have 18 months to come to grips with GDPR. Considering that companies basically will need to implement an enterprise-wide data governance strategy to be able to identify what data exists, where it came from, who has access to it, and why it exists, that’s not much time at all.