The story is becoming more common by the week. An employee from Europe calls their non-EU headquarters and asks something similar to this: “For the May 2018 General Data Protection Regulation (GDPR) deadline, can you tell me where all our customers' data is stored and what safeguards we have in place to protect it?” The typical reply varies from a head scratch to a question: “The GDPR applies to us?”
While most EU firms are frantically working to meet the deadline that's just months away, many around the world are still not aware of the regulation, or they think it only applies to their friends in the EU. But make no mistake – the GDPR is not only an EU regulation. It could very well apply to your organization too, regardless of location.
As the regulation states: "This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not." What this means (in layman's terms) is that regardless of where you're headquartered – in Miami, Sydney, Mexico City or anywhere else – if you process the personal data of those who reside in the EU, you're on the hook to comply with the GDPR by May 2018.
A few highlights of the GDPR data management requirements
With the deadline in mind, let’s take a look at a sample (in a summarized format) of just some of the data management requirements that must be put in place. You can read the full requirements at this site.
Principles that relate to the processing of personal data
Personal data shall be:
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Processed in a manner that ensures appropriate security of the personal data.
Conditions for consent
- Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
- The data subject shall have the right to withdraw his or her consent at any time.
Right of access by the data subject
- The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data [see the website for a full list of additional information controllers must provide].
- Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards.
Right to erasure ("right to be forgotten")
- The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.
Right to data portability
- The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance.
While the requirements alone may seem daunting, the penalty for noncompliance is what really gives pause. Regardless of whether you control or process the data (think cloud providers), if you fail to comply, your organization can be fined up to 4% of global turnover or 20m EUR (whichever is greater). Simply put, the GDPR has teeth – and it's backed by the support of many citizens it's designed to protect.
A 5-step approach to GDPR compliance
Knowing the requirements and the possible penalties, you may be wondering what steps you should take to comply with the GDPR. For most firms, it should involve a data management and governance program. This could be a new program or an extension of an existing data governance framework.
Based on our proven technology, SAS has developed a 5-step approach to establishing a data management foundation that supports GDPR compliance:
- Access. Access and blend data from many different file types, including relational data sources like Oracle and emerging big data technologies like Apache Hadoop.
- Identify. Data filters, sampling techniques and sophisticated algorithms identify and extract personal data from structured and unstructured data sources.
- Govern. Enforce governance policies, monitor data quality and manage business terms across the organization – and assign owners to terms and link them to policies or technical assets, like reports or data sources.
- Protect. Role-based data masking and encryption techniques secure sensitive information and dynamically blend data without moving it to help minimize exposure of sensitive data.
- Audit. Interactive reports can identify the users, files, data sources and types of PII detected. It can also enable you to see who has accessed PII data, and how it’s being protected across the business.
Here's an example of a firm that embraced the five-step approach – a leading international insurer that turned to SAS to solve its data management puzzle. The insurer faced issues such as disparate systems, data in multiple locations and no integrated view of its enterprise data. The firm understood that if it didn’t know where all its data resided, there was no way it could comply with the GDPR.
By working with SAS, the firm now has a unified data management program in place that includes data governance, data federation and risk detection capabilities. Now the insurer will be able to seamlessly manage logging, user access and data encryption to ensure enterprise governance and data compliance. This firm knew that meeting regulations involving customer records starts with data management – and the GDPR is no different.
Make the GDPR work to your advantage
Although the deadline is looming, GDPR compliance is not out of reach. With the appropriate people, processes and technology in place, you can not only meet this regulation's mandates – you can thrive by establishing a data management program that helps you know your customers better than ever before. In fact, GDPR should not be seen as a burden – but an opportunity.Learn more about how SAS can help you comply with the GDPR.