Many companies are currently dealing with the compliance headache that comes with the implementation of the EU General Data Protection Regulation (GDPR). With the GDPR taking effect in May 2018, organisations across the world now have less than a year to make sure they are compliant with the 260-page legislation. And with fines for data breaches as high as €20 million - or four percent of the company's global revenue - it's going to be expensive to make mistakes.
When it comes down to the specifics of compliance, many businesses will be required to have a chief data officer (CDO) who will be responsible for figuring out where customer data is being stored. And depending on the size and scale of the company, this new CDO will likely be backed up by a general counsel or legal team. Whatever the case, the legal experts will need to be well-versed in the minute details of the legislation, or look to external GDPR specialists to ensure they are compliant.
However, no matter what size your company is, locating customer data from across your databases is likely to be one of the biggest challenges; a study from Blancco Technology Group showed that many organisations are struggling to identify where their customer data is currently held, with 12 percent of corporate IT professionals in the UK admitting that they don't know where this data is stored. Meanwhile, in Germany and France the situation is even worse, with 15 percent and 20 percent of IT workers, respectively, saying they had little confidence in their ability to find customer information within their systems.
With the new legislation just around the corner, it's important that you understand what customer data you have, where it is and how to access it.
Know what you've got
The principal aim of the GDPR is to give citizens more autonomy over their personal data. One of the most problematic clauses in the legislation for companies is the “right to erasure” clause, also known as the “right to be forgotten”. This gives your customers the right to ask for their details to be completely wiped from all your systems. For this to be possible, you first need to determine exactly what customer information your business has in its databases.
A major obstacle to understanding what you have is that much of the information will be stored across a multitude of platforms and in many different formats. IBM recently stated that 90 percent of our data has been created in the last two years; our databases are therefore storing more information than ever before. Consequently, manual ways of extracting data are too slow when faced with this volume of information. To make this even more complicated, some data is likely to be unstructured and therefore much harder to sift through than a traditional database.
Make data more visible
The GDPR is all about storage of data, which is in different formats, running on different platforms and often residing in multiple locations. Data virtualisation can help you access very complex storage systems and bring data together from different locations. As the name suggests, it allows you to discover and virtualise data, eliminating the need to physically move it. Through using virtualisation software, you can create information “views” in real-time and compare different databases from numerous locations across your business.
In addition, using data virtualisation eliminates the need to copy data, which means there will only be one instance of data in your databases, not multiple copies scattered across different locations and IT systems. This means that, come May 2018, if customers ask for their details to be removed from your databases, you will have a system in place that ensures there is only a single file that needs to be found and deleted. This makes accessing and erasing the information much easier. Having a simple process for retrieving data also means that you won't have to get rid of all your old systems to be compliant, saving you money and time.
Understanding your customer data
With a centralised virtual view of your data, you can then cross-reference the information and make sure all personal data you store can be erased. Different analytics tools provide organisations with the capabilities to analyse large quantities of data quickly in order to identify key words and information. Data virtualisation can provide the real-time data to streamline this analysis, so you can be sure that the data is gathered consistently, and in the same format.
The GDPR requires you to know not only where data is being stored, but why, how and when it has been shared with other systems, both externally and internally. So, as well as knowing where your data is, you must be aware of all movement of data and sharing of personal identifiable information (PII). For example, if a customer's credit card information has been shared externally, it's important that the way it's been shared is extremely secure.
Data virtualisation captures the data lineage to help you see who has accessed the data and when, making it much simpler to map the data's history. Additionally, data virtualisation software also helps you to control who has access to personally identifiable information (PII), making the storage of data much more secure. By using the right software to track your customer data and translate it into user-friendly pieces of information, you can prove that you are storing PII safely.
Technology is key to compliance
By providing organisations with the ability to combine data from varying sources into a common format, data virtualisation and analytics tools can help you get a handle on your customer data and map it, so that you are compliant with the incoming “right to erasure” clause.
Knowing what data your company holds is the first step in a long road to compliance, ensuring you stay within the lines of incoming regulations. At the end of the day, if you are unlucky enough to suffer a data breach, these tools can also play a large role in proving that you have taken as many steps as possible towards protecting your user and customer data. Use data virtualisation and analytics technology, and you can be sure that your EU GDPR experience will be much simpler and more efficient.
Contributed by Richard Whomes, director sales engineering, Rocket Software
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.