The General Data Protection Regulation comes into effect on May 25th 2018 and many organizations are already seeking outside help to understand and navigate the complexities. As you consider connecting with an advisor, this brief series of posts lets you know some of the most important questions to ask, how to set priorities, and how to turn GDPR from an unknown into an enabler.
If you’re reading this, you probably know already that GDPR applies to your organization. In other words, your organization collects, maintains, or processes data for EU data subjects. Assuming that you’re already familiar with the broad rationale and requirements for compliance, let’s dive deeper by considering a number of questions in this blog and the next.
How exposed is your organization?
Our first question is a priority. Organizations in the public eye, especially those with a large attack surface, can focus on shoring up current assets and existing installations of software and hardware. Doing so means you should consider having a strategy for:
- Performing or auditing master data management across the organization, to ensure user data is consolidated and well-governed
- Obtaining or confirming user consent according to processing categories that conform with the regulation
- Establishing a robust system for pseudonymization, and
- Executing dry-run audits to demonstrate an ability to satisfy regulators quickly and completely.
It’s a lot of work, especially for small-to-medium-sized organizations. So as a first step and as a foundation for future remediation work, we suggest that clients consider implementing a reputable cloud system that will support your GDPR readiness; this can save you the trouble of installing and maintaining expensive software and infrastructure on your own.
A cloud that’s ready to support your GDPR data storage needs is crucial to reducing exposure because it provides pseudonymization with separate storage for encryption keys. Out of the box, the system manages user data, encryption, and independent key storage.
That said, you may still need to alter your established processes to comply with the regulation, depending on how you carry out master data management and manage user consent. For example, the regulation includes language to assess user profiling and to provide for data portability. Take time to understand those provisions conceptually and in detail.
How much time, data and talent do you have?
Our second question tackles the implementation challenges. Chances are good that you’ll need to port your existing data to storage of some kind. Depending on how much time you have until May 2018 — and that is a quickly diminishing commodity as we write in September 2017 — and depending on the volume and complexity of your data, and on the talent of your current teams, you can port existing data in one of two ways:
- As part of a careful re-architecture effort
- As a brute-force, lift-and-shift.
Obviously, the first option is ideal, but it means taking the time to re-architect data to delineate what must be maintained under the cloak of pseudonymization versus what you can make available for analytics. Be especially wary of the urge to overcompensate for the regulation by walling off data that could otherwise drive insights into the business and its future.
Re-architecture at this point also means planning for public versus private cloud storage. And it means a dedication to a unified data governance that includes a comprehensive policy catalog. This is the time to think very deeply about data protection by design and data protection by default. In particular, you may want to go beyond pseudonymization to build security into the policy catalog itself — while also enabling a model of secure, API-driven self-service for your data analytics team.
In our view, if you only have the time for the brute-force approach, you’ll do well to anticipate a process of re-architecture down the road in order to establish the unified data governance infrastructure we’ve just described.
In either case, consolidating all user data to conform to GDPR rather than trying to manage European and non-European data separately is preferable. A unified approach may save you hassle in the future, as your users and partner firms change geographies. It also puts you in a position to think in one clear way about the interactions you want to have with users. And we will cover that in the second blog.
Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.