A topic that is popping up more and more in many of the meetings I am having these days have been around how companies are readying themselves for the impact of GDPR. What questions are they asking, what are their pain points, are they dealing with it internally or have they got someone external to come in to assess their level of compliance?
With this in mind, I thought it would be interesting to get an expert's opinion on the topic from one of our Associate Partners, James Stevens. James is a European Distribution Big Data and Analytics Leader and has a background in data, through working as a Partner for IBM. Below are his thoughts on why your business needs to get personal data under control today:
Businesses have been talking about data, big data, Hadoop, R and many different aspects of data for years. Big Data is big business but more importantly, Big Data is about to become “Big Risk” like never before.
We have all seen the news and media storms that occur when organisations publicly lose data, and the impact that has on the businesses involved. In the UK this has been covered by the Data Protection Act but there is a new kid in town, GDPR, and it has teeth!
The General Data Protection Regulation (GDPR)
GDPR covers any organisation which operates in the EU market and that stores any data concerning EU data subjects, and will be immediately applicable on 25 May 2018. Whilst this is a European regulation, it will apply to the UK regardless of our impending exit from Europe, because it will come into effect before we leave and is likely to become a barrier to UK businesses working in Europe. Non-compliance has the potential to lead to huge fines of up to €20m or 4% of total annual worldwide turnover, or to force serious reputational damage.
OK you say, the odd person wanting their data removed is no big issue - but with social media the potential for large numbers of people to systematically request their data to be removed, in a coordinated way to maximise disruption to an organisation, is not unforeseeable and could be incredibly disruptive.
The real question is what are we likely to see first?
The truth is that until it comes into effect the real impact of GDPR and fines are to a degree an unknown, with the potential that the EU may be reluctant to impose the maximum fines, or arguably that they may look to create a series of example/test cases to demonstrate that GDPR really does have teeth.
Personally, I think we are initially going to see individuals using GDPR as a punitive tool against organisations that have displeased them by reporting THEM for non-compliance. To a degree this is already happening with individuals asking for organisations to remove their data, but come May 2018 people will have the right to ask for their data to be removed with that process to be auditable.
What this means for you right now is that you and your company are likely experiencing some if not all of these pain points:
- A lack of awareness of GDPR and what it really means and what compliance really looks like. Alongside this will be a realisation of the significance and what will change internationally as a result of GDPR.
- A concern or awareness within your business that “something needs to be done now” to manage high or extremely high data volumes and sensitive personal information (SPI).
- Lack of data governance and ownership of data within the business and a fear that there is no clear inventory of all the data held by the enterprise, of its usage and of its ownership and stewardship.
- Fears and risks around compliance, uncontrolled or insufficiently managed data.
- An inability to manage increasing workload around compliance or to react to consumer, customer or regulatory challenges effectively.
- A lack of engagement by the senior leadership and a belief that “IT will sort it”.
So what do you do about this?
A very good question and to be honest it will be a Herculean task for some organisations who may have SPI littered throughout their systems and backups. Yes, the impact of GDPR is the need to remove SPI if requested from individuals’ laptops, email, backup systems and tapes as well.
The answer is a GDPR health assessment that will look at your organisation's preparedness for GDPR, the risks, the vulnerabilities, and help you develop a roadmap to compliance to limit or mitigate that risk. As with any business data and programme change project, one size will not fit all!
Most importantly now is not the time to bury your head in the sand and hope it will either go away or not impact your organisation. GDPR is here to stay and is less than 260 working days away!