The data management and governance practices of businesses throughout the world are set to change, thanks to the EU’s General Data Protection Regulation (GDPR). The mandate, which has taken years to reach fruition, is set to go into effect in May of 2018, but businesses have already begun the process of changing their privacy, security and data governance policies to ensure compliance.
Any organization with a presence in Europe will be held to the GDPR requirements, including businesses with websites offering goods or services to EU citizens. This includes cloud services developed by U.S. organizations, so the mandate has some pretty far-reaching consequences. The new regulation will impose fines for data breaches of up to four percent of annual global revenues, which could be substantial for big names like Target (News - Alert) and Home Depot, which have been subject to significant breaches in the past.
The GDPR also requires privacy impact assessments, privacy and security by design, appointments of data protection officers at organizations, and inventories and data mapping of personal information across all business systems. And companies will also have to provide evidence that they are complying with all these practices.
What this means is that U.S. companies doing business in the EU are going to have to significantly step up their privacy and security practices and do so quickly, as they will need to be in compliance once the law takes effect next year.
U.K. company AvePoint, which specializes in Microsoft (News - Alert) Cloud migrations, recently conducted a survey on global readiness for the GDPR. Of 223 multinational organizations responding to the survey, most have already begun the process of assessing GDPR impact on their operations. Respondents are also devising organization-wide practices to achieve compliance, as well as evaluating the need for additional resources.
The consensus among survey participants was that a comprehensive privacy management program, along with data security and breach notification, will be the most effective approach to achieving compliance. Senior managers were most concerned about possible sanctions along with data breach notification requirements and how they will impact business data strategies as well as the ability to use data. Most respondents had already appointed a DPO and many were in the process of increasing resources or at least considering it.
Things were a bit murkier from a technology standpoint, and few organizations have access to tools and software to aid with data privacy and compliance mandates. And only a small fraction of respondents use technology to automate and industrialize data protection impact assessments, data classification and tagging policies, data processing inventories and delivery of new data portability. Only 33 percent of those surveyed tag (News - Alert) and classify data being held to determine if it contains personally identifiable information (PII) or sensitive PII. And even more disturbingly, only 10 percent use automation to tag data, relying on end users to do the tagging, creating the potential for errors and inconsistencies.
Businesses throughout the world clearly have a lot of work to do in the area of data privacy and security, and the GDPR mandate is giving them the push they need to address the relevant issues. Massive financial penalties are always a strong motivator, so the next year should bring about a worldwide transformation when it comes to how data is stored, secured and governed.