As the deadline for GDPR compliance approaches, it is imperative that companies understand the importance of protecting company data to ensure that their business doesn’t face the extensive fines and reputational damage associated with non-compliance, says Damian Wilk, Regional Director, Middle East, Veritas Technologies.
GDPR is intended to harmonise the governance of information that relates to individuals (“personal data”) across European Union (EU) member states.
According to findings from The Veritas 2017 GDPR Report, almost half (48 percent) of organisations that stated they are compliant do not have full visibility over personal data loss incidents. Moreover, 61 percent of the same group admitted that it is difficult for their organisation to identify and report a personal data breach within 72 hours of awareness – a mandatory GDPR requirement where there is a risk to data subjects. Veritas’ research also found that there is a common misunderstanding among organisations regarding the responsibility of data held in cloud environments.
Avoiding stringent regulatory penalties and fines is clearly a driver for improving an organisation’s compliance position but many companies also see major business benefits that go well beyond avoiding such sanctions. Veritas research shows that almost all businesses (95 percent) see substantial business benefits to achieving GDPR compliance. GDPR certainly creates a potential new risk for Middle East organisations but also an opportunity to develop good data governance and management practices.
The fundamental requirement of good data governance is visibility and classification but to comply with GDPR, organisations must be able to locate, search and minimise the amount of personal data held, as well as protect and actively monitor this data.
Veritas recommends five steps to GDPR compliance:
Locate – The critical first step in complying with GDPR is gaining a holistic understanding of where all the personal data held by your organisation is located. Building a data map of where this information is being stored, who has access to it, how long it is being retained, and where it is being moved is critical to understanding how your enterprise is processing and managing personal data
Search – Residents of the EU can now request visibility into all of the personal data held on them by submitting a Subject Access Request (SAR). They can also request that the data be corrected (if factually incorrect), ported (to a suitable export format) or deleted. Ensuring that the organisation can undertake and service these requests in a timely manner is critical to avoiding GDPR penalties.
Minimise – Data minimisation, one of the main tenets of GDPR, is designed to ensure that organisations reduce the overall amount of stored personal data. This is done by only keeping personal data for the period of time directly related to the original intended purpose. The deployment and enforcement of retention policies that automatically expire data over time establishes the cornerstone of any GDPR strategy.
Protect – Under GDPR, organisations have a general obligation to implement technical and organisational measures to show they have considered and integrated data protection into all data collection and processing activities.
Monitor – GDPR introduces a duty on all organisations to report certain types of data breaches to the relevant supervisory authority, and in some cases to the individuals affected. You should assure that you have capabilities in place to monitor for possible breach activity – such as unexpected or unusual file access patterns – and to quickly trigger reporting procedures
Technology has a vital role to play in GDPR compliance. For example, Subject Access Request (SAR) preparedness is a critical component of any GDPR compliance strategy and a compliance culture. Veritas’ eDiscovery Platform directly addresses these challenges by helping organisations quickly pinpoint personal data and review it to assess what personal data should be disclosed and what may be lawfully withheld. In addition, the eDiscovery platform delivers a response package electronically that sufficiently addresses the GDPR’s SAR requirements so businesses can help ensure regulatory compliance, avoid massive fines, and mitigate reputational damage.
Combined with the Veritas Classification Engine the platform delivers powerful intelligence into data risks on-premises and in the cloud. The Platform also enables enterprises to adhere to SAR requests by locating where PII exists across their entire organisation and driving actions that help appropriately retain or delete this data, when necessary. This innovation is critical in helping organisations adhere to mandatory compliance guidelines under new regulations, such as GDPR.