Handling the compliance risks that the EU General Data Protection Regulation creates for your organization
- Published: Monday, 24 August 2015 08:05
Don’t let information ignorance turn your data dream into a nightmare says Cindy Truyens.
With the impending EU General Data Protection Regulation (GDPR) on the horizon, are you aware of the impact this will have on your current data management policies, processes and systems? For many businesses the realistic answer to this question is “I don’t know” and for most it will be “no”.
No matter what industry you are in, if you handle other people’s data you are responsible for keeping it safe and are bound by law to comply with data protection regulations. This applies to data whilst it flows between departments; moves across different systems; is passed between individuals; transitions onto new platforms or programs; and is handed to a third party. Claiming ignorance -especially once data has left the confines of the office ‘walls’ - is no excuse.
Those who underestimate the challenge of getting their data management systems and policies ready by the 2017 GDPR deadline could find themselves in severe financial and reputational hot water. As it stands, the maximum fine from the UK Information Commissioner’s Office for breaching the legislation is £500,000. The current plans from the EU GDPR state that fines can be 2 percent of global revenue capped at €100 million. However the FCA who regulate the financial industry are unlimited in the fines that they can issue. Companies who suffer data breaches will also be liable to provide compensation to those affected and face the significant loss of business as information of the fines will be made public.
The extent of the challenge ahead
These new reforms represent the EU’s first major overhaul of data protection legislation for over 15 years, during which time significant advances have been made in the way companies use data and the technology they have in place to store, transfer and interrogate it. As a result, the updated reforms will include key changes to the way in which personal data can now be used and stored. This will have a significant impact upon organizational policies and processes, with the need to move towards a ‘privacy by design’ ideal.
Companies will be expected to not only have these updated processes in place, but for them to be documented and available on demand, with staff being fully aware of the changes and implications. Almost half of the organizations across Europe are yet to realise the full extent of the changes. This includes the time, effort and cost involved in implementation, which could result in devastating financial and reputational consequences.
Often, personal customer data collected by organizations is used and transferred in ways in which the customer and owner of the data may not even realise. To tighten up the movement of sensitive data, ‘anonymisation’ will form a key part of the new regulations.
Worryingly, many organizations currently use personal data replicated from their production systems during IT system testing. The risks this brings are enormous as test environments usually have limited security and are open to a wider array of employees and third party vendors. If personal data is copied from production and inadequately anonymised, anyone who has access could potentially download data that could be used for identity fraud. A key aspect of the new regulations is that businesses will be required to anonymise data used within this process. This will significantly decrease the risk of a data breach in the testing environment and in turn, enhance security of a customer’s entrusted personal information.
When considering the implementation of these regulations, it is vital that companies make changes to data governance and policies now, in order to meet the required timeline.
This will ensure that UK businesses are doing the right thing by their data, whilst avoiding the unwelcome wrath of the ICO or the FCA.
Three key areas
To help overcome the challenges of overhauling data management systems, there are three key areas which organizations need to address ahead of the new regulations:
1. Consider a robust data policy from the very beginning
Firstly, echoing the ICO’s key recommendations, nothing can beat having privacy by design, a robust data policy and data governance process, in place from the outset. This cost effective method of considering privacy and data compliance from the very start, no doubt helps reduce time spent on inaccurately managing data. Best practice methods such as privacy impact assessments can highlight risk and help to identify sensitive data.
2. Digitise and anonymise for streamlined data management
With the digitisation of systems, a single view of the customer and a unified data model have become increasingly difficult to achieve and are the biggest issues facing organizations today. The new data protection regulations will add another layer of complexity to how data is accessed and used.
Ultimately, the lack of a single view of data and how it is configured will result in organizations having limited visibility on where its data is being accessed, copied, backed up or transferred. With the upcoming regulations, this will have to change. A key focus area of the regulation is the use of data within test environments ensuring that all data contained therein is anonymised. A mammoth task given the levels of system integration and end-to-end processing required to ensure system accuracy and stability. Choosing the right tools to manage and anonymise or synthesis data for your business is paramount.
3. Invest upfront to avoid fines and derive true business benefit
Without the correct IT, policies, processes and governance in place to ensure data quality and compliance, not only could organizations be exposed to hefty fines but they could also be missing out on key business benefits.
The cottage industry of people extracting, reformatting and standardising data behind the scenes is staggering and often a hidden cost of poor data management practices. A recent assessment highlighted that a large retail organization could save in excess of £600,000 per month simply by standardising its data model across its integrated supplier, product management, distribution and reporting systems. With an upfront investment of £630,000, savings of up to £7.2 million per year could be a reality.
Building a strong framework for data from the beginning is the ideal. The reality is that the majority of organizations are fettered by a complex, somewhat historical IT estate. They are faced with having to alter policy, processes and systems to achieve compliance. Making upfront investment now is key. Bringing experts on board to make sure data is correctly mapped, stored and used will ensure an adequate opportunity to adhere to the regulations. This will prevent unnecessary fines and ultimately boost data performance for the benefit of the business.
Cindy Truyens is managing director at SQS.