Since the GDPR has gone into practice has your organization labeled this a curse or an investment? It’s probably a combination of both. On the investment side, your customer want to know they can trust you and see that you’re handling their data in a way in a secure manner. The more transparent you are using processes to safeguard their information.
On the other hand, it probably required you to spend money on additional technology or employees to increase your ability to monitor your data. Some companies are appointing people to the position of DPO (Data Protection Officer).
Regardless of which view you stand on, the penalties and fines are quite real. For example, Marriott was fined the next day the law went into place for approximately $99 million for not protecting data for 339 million guest records. British Airways is getting fined for a proposed $183 million for a data breach of up to 500,00 customers!
SAS created a nice 5 step check-list to ensure you are compliant for GDPR
1. Access. The first step toward GDPR compliance is to access all your data sources. No matter what the technology – traditional data warehouses and Hadoop clusters, structured and unstructured data, data at rest and data in motion – you must investigate and audit what personal data is being stored and used across your data landscape. Seamless access to all data sources is a prerequisite for building an inventory of personal data so you can evaluate your privacy risk exposure and enforce enterprisewide privacy rules. To address GDPR compliance, you can’t rely on common knowledge or perception of where you think personal data might be. The regulation requires organizations to prove that they know where personal data is – and where it isn’t.
2. Identify. Once you’ve got access to all the data sources, the next step is to inspect them to identify what personal data can be found in each. Often, personal data is buried in semistructured fields. You’ll need to be able to parse those fields to extract, categorize, and catalog personal data elements such as names, email addresses and social security numbers. Considering the volumes of data at hand, this cataloging process can’t be manual. And you not only need to parse and classify personal data – you also have to accommodate varying levels of data quality. Things like pattern recognition, data quality rules and standardization are vital elements of this process. Having the right tools for the job will make a big difference in your ability to maintain GDPR compliance.
3. Govern. Getting a grasp on personal data starts with being able to define what personal data means and then share this understanding across your organization. For GDPR compliance, privacy rules must be documented and shared across all lines of business. This is the way to make sure personal data can only be accessed by those with proper rights, based on the nature of the personal data, the rights associated with users groups and the usage context. To achieve this, roles and definitions must be established in a governance model. Then you can link business terms to physical data sources, and establish data lineage from the point of creation to the point of consumption. This provides you with the required level of control.
4. Protect. Once the personal data inventory and governance model are established, it’s time to set up the correct level of protection for the data. For GDPR compliance, you can use three techniques to protect data: encryption, pseudonymization and anonymization. You must apply the appropriate technique based on the user’s rights and the usage context – without compromising your growing needs for analysis, forecasting, querying and reporting. The easiest way to protect data privacy is actually to press the delete button, keeping only the data you need to run critical business processes and added-value analysis.
5. Audit. The fifth step in your journey to GDPR compliance involves auditing. At this stage, you’ll need to be able to produce reports to clearly show regulators that:
– You know what personal data you have and where it’s located, across your data landscape.
– You properly manage the process for getting consent from individuals who are involved.
– You can prove how personal data is used, who uses it, and for what purpose.
– You have the appropriate processes in place to manage things like the right to be forgotten,
data breach notifications and more.