The SAS Data Management team has been on a GDPR roadshow. In addition to customer meetings, we were also privileged to meet academics and journalists who are helping customers navigate implementation choices.
In Slovenia, I had the opportunity to reflect with Miran Varga for Delo on some of the journey ahead for most organisations. The interview is translated and re-produced with the kind permission of Delo.
What should organizations know about GDPR - how it affects them?
That’s a difficult question because it’s going to be different for everyone. Each company tends to have a set of IT systems that has been built up organically over time and no two combinations of software choices, data present in the systems and, most worryingly, data stored outside of the central IT systems in things like spreadsheets, documents and files is going to be the same. The way an organization approaches their compliance effort is going to vary based on where their data is stored and the approach they take (eg: going it alone or starting with an assessment with a system integrator).
At a base, organizations should be aware that the General Data Protection Regulation (GDPR) applies to all organizations, no matter the size, as long as there is any personal information of European residents in their systems. Compliance must be achieved by the 25th of May 2018 so with little over a year to go, many organizations will already be starting much later than they should be given the size of the task.
What will it take to get their data houses in order?
Regardless of the approach they use, a Data Governance approach will have to be a core component of the technology side of getting ready for GDPR. Regulators will need to see that you have control over where personal data lies across the organization. The regulator’s pointed questions about what each organization is doing for regulatory compliance will require several steps in order to be ready to respond:
- Access to the data in order to examine the contents for personal data information
- Identification of where personal data lies across the different sources
- Governing and capturing the output of the personal data census
- Protect the personal data you’ve identified through techniques such as Anonymization or Encryption
- Audit who is performing the accesses to personal data and be able to document it
Once you have done this for personal data it makes a LOT of sense to extend it to the rest of your infrastructure in an ongoing effort to really have control over your IT systems!
Is there a right and wrong approach to achieving GDPR compliance? Is it just about compliance?
GDPR is, in and of itself, about compliance. I believe that it is a mistake, however, for companies to try to do the bare minimum to comply with GDPR requirements. This requires setting up virtually all of the infrastructure necessary for Data Governance. It’s along the same lines as signing up for a bicycle race, training for the race and then only competing in the first stage. It would be a missed opportunity to capitalize on the investment you need to make in any case. The benefits of undertaking a data governance initiative are manifold and GDPR should be the first step in the data governance journey, not the first stage of a bicycle race!
Are there any shortcuts on how companies can become GDPR-fit?
The only shortcut is to use technology to accelerate the path to compliance. Typically companies start working with a system integrator or consulting firm to perform an assessment of either their readiness for GDPR or their risk exposure from GDPR. The first step in these assessments is frequently taking a census of what personal data is present in the company. If you use a “we already know which systems and fields contain personal data” approach then the organization risks not finding all the personal data present in their systems (think about all those free-form descriptions fields you’ve got spread across your IT systems). If you use a manual approach, many (most?) medium to large size organizations have far too much data to go through by hand. Either way you risk missing out on personal data and therefore being fined if some of the personal data you didn’t identify during the assessment is exposed in a data breach, not adequately protected with masking or encryption or is used without the owner’s explicit consent.
So my advice to companies is to make sure you check everything and use automated tools that can intelligently identify personal data. They have to be “in tune” with the locale in question too … if you use identification techniques or underlying data elements that are specific to a culture in a different country (eg: one built for the USA on Slovenian data), you’re bound to fail. Only with a country-specific approach will you succeed!
How will GDPR affect the IT industry?
There is some risk of GDPR becoming the next “Millenium bug”! If you remember back in 1999 there was a big scare about IT systems POTENTIALLY not being able to manage the changeover from the year 1999 to 2000 because many systems had been written using only two digits for the year and, frankly, the programmers hadn’t really thought they’d still be in production 10, 20 or even 30 years after being first developed. The effect on companies’ IT systems was dramatic – or rather the effect it had on the NECESSARY EFFORT to do a census of all IT assets was dramatic. Mainly because companies waited until the last minute and then had to scramble to find resources with the proper skills (COBOL programmers in this case) to address the problem. There’s not a much harder deadline than a fixed date that can’t be moved!
The situation I see with GDPR is similar in terms of the way companies are approaching it – many are vaguely aware that it exists but aren’t taking any action because, after all, the deadline is over a year away! With this approach, those companies that wait will have the benefit of potentially clearer guidance from the EU on some of the minor points of how enforcement will work but in compensation, they’ll have very little time to do a very big job!
Will technological advancement lead to constant changes of the GDPR in the future?
It’s difficult to foresee the future in this way but following the current trends of Big Data and IoT making data volumes in companies become ever larger, it’s safe to predict that on average, the longer companies wait to start their assessment and subsequent technology implementations, the worse off they’ll be because they’ll have to examine more and more data progressively over time in order to identify where personal data elements are present in their systems – which include Big Data / hadoop-based systems as well.
How can our whole society develop a mindset that is data aware?
I think that society is developing the idea that data flows as an undercurrent that supports all of the things we do today – from Amazon to Facebook, from paying speeding fines to catching up on your email – but that it is only a vague sense at the moment since it is such a pervasive phenomenon. I mean who doesn’t think of access to the Internet as a kind of Utility these days? In the early days of the internet it was a much more limited phenomenon limited to us nerds. So things are evolving over time in the direction of a data-aware society in my opinion – even though I don’t think we’ll call it being “data aware” since the constant flow of information will simply be something that we’re immersed in much like the air we breathe.
Could data protection and privacy actually become a school subject?
Data Protection and respect for privacy for personal information could definitely become a school subject but I suspect not exactly in the sense that you mean. I think that the Information Systems courses that my high-school-age son is taking will, in the future, include a section on Data Privacy rights so that all young adults will be aware of their rights with respect to their data but I don’t expect that every student will have an in-depth course on the subject.
That said, university students that are studying computer science, information systems, law or other related fields will likely have either entire courses dedicated to this topic or at least focused sections of more generalized courses that go in-depth on how to make systems respect the spirit of the law – “Privacy by default and Privacy by design”.
Would you like to add something I didn't ask you about but you feel is important for this conversation?
I guess I’d just like to leave you and your audience with a couple of key takeaways:
Getting started on your GDPR assessment and implementation ASAP is key to meeting the deadline of 25/5/2018.
Everyone knows that Data Governance is something they should be doing – GDPR requires what is effectively a Data Governance implementation and therefore offers the perfect opportunity to get the necessary budget allocated. Please don’t let this opportunity slip away!
