- Security TWENTY
- Women in Security
Speaking alongside me in a recent ASG Technologies-sponsored webinar, Garry Manser, head of data governance at VISA advised listeners “Don’t panic!” when talking about GDPR, writes Scott Snively, pictured, data intelligence specialist, ASG Technologies.
It’s advice that many businesses will welcome. In a recent poll of financial services companies, by ASG, only 6pc said they were already ready for the GDPR May deadline with 25pc saying they would be ready by the crucial date.
It’s true that 44pc hope to be ready, but only with numerous workarounds. A mere 6pc admitted that they did not expect to have everything in place by the deadline. Yet, this still means that only less than a third (31pc) are confident of compliance by May. These findings fit with Gartner’s prediction that more than 50 per cent of companies affected by GDPR [general data protection regulation] will not be in full compliance by the deadline.
The worrying thing is that we are talking here about the financial services sector; an industry accustomed to regulatory demands. However, GDPR has a focus on data privacy, creating new demands and expectations. In reality, most of these companies will have already done the groundwork in meeting previous standards. You can then only speculate what the situation is like among manufacturers or retailers who have not previously been governed by such rigorous rules.
But why are these financial businesses dragging their heels? When our poll asked: “What data management challenges does GDPR present for your organisation?”, the most popular answer, cited by 56pc was “identifying the required data”. It seems that the majority of organisations have a limited understanding of where the personal data they own is kept.
So, it’s not so much a case of defining the data in question, more knowing where all the relevant data is within an organisation. When ASG goes into even the most regulation-conscious bank, we often find they have servers that they didn’t know they had and, of course, it’s quite possible that these hold sensitive information.
The webinar panel suggested going directly to the “business owners” of data, if these are known; meaning the members of an organisation that actually use the data, as they will be able to identify exactly why the data is held and what it is being used for. However, often it’s not easy to identify the owner, adding to the challenge.
Automation is the key here – and the only sure-fire way of capturing all sources of information held by an organisation and keeping it current. Technology solutions can be used to discover applications, identify personal data and assign criticality and identification of application owners. They can also track personal data, tracing every instance across applications, data stores and business processes and then tag it and assess its usage. ASG Technologies’ enhanced data intelligence solution, for example, includes this capability within a five-step approach to continually meet GDPR requirements and any other regulations in the future.
From the poll it appears that many companies share this opinion. Some 42pc were using vendor in-house developed systems, with 15pc using vendor systems. One quarter (25pc) though were still yet to decide their approach.
More interesting ideas emerged when the panel discussed data protection officers (DPOs). It was agreed that these shouldn’t take on the role of data police, but become a focal point for interpreting the regulations and answering questions. It was suggested that these should be complemented by ‘data stewards’ or ‘privacy champions’ with the task of spreading awareness of the need for compliance. It was stressed that this should be company-wide, including the call centre or help desk – as both are in the frontline if a customer calls to ask what the business is doing with their particular personal details.
However, to return to Manser’s advice about keeping calm – how is this possible with May rapidly approaching towards us? He adds that there’s no point in either becoming over-excited and making staff work themselves into the ground or going into the doldrums and doing nothing because it’s too late.
” You will need to show you are working with intent though and have a plan to get you to compliance,” said Manser.
I would add that anyone in this position should remain methodical and find a technology that will act as your framework. Then, if regulators do come in your direction, you can show them your road-map and the technologies you intend to use to get to your destination and remain compliant after that.
So, remember, GDPR compliance is not just for May, it’s for life – or least until the regulations are updated yet again. Take this opportunity to get it right and the business will benefit from better value – as well as better protected data.