With just over six months left until the General Data Protection Regulation (GDPR) goes into effect, companies around the world should be honing their data governance game plan to make sure they can comply with the new regulation. Many organizations are surprised that regardless of where a company is based, if they supply products or services to EU residents, then they must be in compliance.
A recent SAS survey found that despite all the buzz around the GDPR, less than half (45 percent) of organizations have a structured plan in place for compliance and more than half (58 percent) indicate that their organizations are not fully aware of the consequences of noncompliance.
Under the GDPR, individuals have the right to request that their personal data be erased, which is known as the “right to be forgotten.” But in order to forget, the company must understand everywhere the data may exist within their internal systems – which is more difficult than one might think. In fact, 48 percent of survey respondents are challenged just to find personal data within their own databases.
With this in mind, here are five steps that any company can take to get on the right track toward GDPR compliance:
1. Access. Under the GDPR, organizations can’t rely purely on common knowledge or perception of where they think personal data might be. The regulation requires that organizations can prove where personal data is (and where it isn’t). This requires seamless access to all company data sources, including having the ability to access and blend data from many different file types, including relational data sources such as Oracle, and big data technologies such as Apache Hadoop.
2. Identify. The next step is to identify where personal data resides in each of the company’s data sources. This can be obvious information like a mailing list in a CRM system, or hidden within unstructured data sources like email or text files. That’s where data filters, sampling techniques and sophisticated algorithms come into play. These technologies can be used to identify and extract personal data from structured and unstructured data sources.
3. Govern. Perhaps the most difficult step is to create a set of policies and ensure that they are enforced across the entire organization. This includes communication across departments and proper documentation. With the GDPR, it’s important that organizations can prove compliance every step of the data journey. This includes enforcing policies, proper data lineage, monitoring data quality and managing business terms across the organization. It’s also important to assign owners to terms and link them to policies or technical assets, like reports or data sources.
4. Protect. At its core, the GDPR is about protecting personal information from falling into the wrong hands or being misused. Role-based data masking and encryption techniques can secure sensitive information and dynamically blend data without moving it to help minimize exposure of sensitive data.
5. Audit.A big component of GDPR is being able to prove where data lives and how it’s being handled. Interactive reports can identify the users, files, data sources and types of personal information that has been detected. Proper auditing can also enable organizations to see who has accessed personal data, and how it’s being protected across the business.
GDPR compliance is not easy, but when properly executed, can have lasting positive effects on an organization. For example, SAS’ survey found that 71 percent of respondents believe that their data governance will improve as a result of GDPR compliance initiatives. Further, 37 percent of organizations think that their general IT capabilities will improve as they seek to comply, and 30 percent agree that complying with the GDPR will improve their image – a positive side effect for any organization.
Todd Wright leads Global Product Marketing for SAS Data Management solutions. He works closely with the product management and sales organizations to create and promote materials that are relevant and valuable to SAS customers. Wright has 15 years of experience in data management software, including sales and marketing positions at DataFlux and SAS. Wright is instrumental in developing customer relationships and creating strategic marketing plans that drive awareness, consideration, education and demand for SAS Data Management. He received his business degree in Marketing from Western Michigan University.