New Articles

Four Reasons Why Your GDPR Strategy Needs Data Discovery Software

GDPR applies to companies with EU shipments of export cargo and import cargo in international trade.

Four Reasons Why Your GDPR Strategy Needs Data Discovery Software

The compliance deadline for the General Data Protection Regulation (GDPR)—the EU’s comprehensive data protection regulation—looms ever-closer and the world of IT is still struggling to execute a clear and defined GDPR strategy. No doubt – with over 3000 amendments since the first draft it is officially the most heavily lobbied piece of legislation ever, and the completed regulation is over 200 pages long.

Information Age has suggested nearly half of businesses are not ready for GDPR and in a recent webinar I attended only 15 percent of respondents claimed that they thought their business would be ready for go-live on May 25, 2018.

There is no doubt that businesses across the world are hitting the panic button now we’re only seven months away from the deadline – seemingly with no clear solution in sight that will solve the multiple business challenges created or exacerbated by GDPR.

So, what are the biggest challenges that businesses are currently trying to solve? From our experience, we can summarize these challenges through four questions:

Where do I keep personal and sensitive data across my vast IT infrastructure? How can I catalogue personal and sensitive data across multiple structured, semi-structured and unstructured data sources? How can I create a single view of information to easily identify all data belonging to any particular data subject? How do I maintain compliance post May 25 and will my systems cope with the new rights of data subjects?

If these challenges remain unsolved the GDPR compliance pathway quickly becomes bogged down by manual data location activities and endless repetition of effort across multiple source systems – which is both an expensive resource sink and an imperfect method of satisfying the upcoming ‘privacy by default/design’ requirement.

We shouldn’t have to resort to the person with a clipboard method when it comes to cataloging information and trying to build some sort of single view of an individual. Inefficient, manual and arduous methodologies will not result in organization-wide compliance before the deadline.

There is only one way to solve these problems – enterprise-wide adoption of smart technologies that will greatly reduce the inefficient time sink created by manual auditing.

If I can use software to solve the four challenges mentioned above I can better coordinate my resources in ensuring that all data is processed in-line with GDPR, instead of worrying that I can’t find and organize personal and sensitive data in the first place.

Thankfully there is technology out there which can help, and data discovery technology is the best fit due to its flexibility and capabilities around finding, cataloging and organizing data.

Below I’ve set out four areas where I think data discovery software can greatly improve your GDPR compliance strategy.

Finding out where data is held. The first step to compliance is finding out what personal and sensitive data is held and where exactly that data can be found. This can be wide-ranging – from your operational systems to customer testimonials to marketing mailing lists to customer complaints and everything in between.

This information is found in structured databases, semi-structured XML files, unstructured file systems on individual workstations, cloud-based file systems – you name it, you need to check if there is personal or sensitive data in those systems. Indeed, 80 percent of all organizational data is unstructured if you believe the statistics!

Finding out where information is held can be easy in some systems, but finding me how many John Smiths I have across 3000 private file directories on separate workstations is going to take me a long time if I’m using a clipboard and ball-point pen.

Thankfully data discovery software can take all information – from databases, XML files, file directories, the lot – and search against it simultaneously, instantly finding me every mention of John Smith across my thousands of previously siloed data sources. No more clipboard required!

Cataloging personal and sensitive data across structured, semi-structured and unstructured sources. Though finding the information is probably the biggest challenge for businesses at the moment, cataloguing the information after it has been found can be just as hard.

I will never be able to build up a clear picture of my personal and sensitive data without a clear information cataloguing strategy.

Trawling through each system to find out where I keep IP addresses, who owns the IP address, what I’m using it for and what the legal basis for processing it is WITHOUT some sort of automatic metadata cataloging process is going to take weeks of effort, weeks that are quickly running out.

Modern data discovery software includes comprehensive metadata cataloging to help identify what data is held where, why, by whom, and for what reason. Smart business rules and regular expressions can extract structure from unstructured and semi-structured data sources, to help automatically build a ‘big picture’ of personal and sensitive metadata.

So instead of just finding out whose data is held where, I can now find out what types of data are held where. If only there was a way to combine this…

Creating a single view of information through creating a single view of information. Experian states that “89 percent of organizations continue to face difficulties in achieving a single customer view.”

This is largely due to a systemic complexity across multiple systems that software has so far struggled to solve. When including semi-structured and unstructured data as well the dream of a unified single view can very quickly start resembling a nightmare.

The reason is simple – relational databases and unstructured data sources do not play nicely, and no amount of tweaking and changing will make legacy back-ends handle unstructured data as well as a more modern approach.

This problem is further exacerbated by GDPR. It’s quite hard to argue that any approach that does NOT create a single customer view is going to make it easy for customer service personnel to respond to subject access requests, data portability requests, the right to be forgotten, etc.

Alternative architectures have been tried and tested to try and solve the unification problem in terms of creating that mythical ‘single customer view’ that only 11 percent of organizations claim they have successfully done.

An architecture which includes modern data discovery software can quite easily create that single view. By storing all files in a unified ‘index’ format the challenges posed by joining different data from different file types and different data sources is easily overcome.

This allows a comprehensive single view of information to be built across the entire organization, achieved through combining data discovered across siloed systems with the metadata information catalog.

Once you have that single view of information, any user query and easily navigate from one entity to another without having to be concerned about logging into multiple systems and re-establishing the context of the search based on system configuration.

Putting it all in the same place and showing it in the same format provides a powerful resource for maintaining information security and establishing what data is being processed, whose data it is, why it is being processed and by whom. In addition to finding how much John Smith data I have, I should now have a full visual history of each John Smith’s interactions with my organization from day one to the present day.

Maintaining compliance post May 25. Assuming we can reach a point where we are somewhat compliant by May 25th without using any smart software or GDPR solution, the question of how do I maintain compliance still remains unanswered.

GDPR establishes loads of rights for individuals – the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and rights in relation to automated decision making and profiling.

The significant part of establishing compliance prior to May 25 is ensuring that after go-live each of these rights have a clearly defined business process from request to response.

This one’s pretty simple from a technological perspective. If I have all my data in the same place and viewed through a single interface it will greatly empower my ability to respond to a data portability request, a subject access request, an erasure request, etc.

GDPR solutions built on data discovery software can contain additional reports, portals and data capture forms to help customer service teams respond to these requests in an efficient and simple manner.

There is no silver bullet for GDPR. Every solution is only going to work with enterprise-wide adoption and conformity, with each and every employee educated on their responsibilities in regards to GDPR and what they can and can’t do.

Despite this, data discovery software will help enormously. Without it, you won’t find the weaknesses in your strategy until you receive your first data portability request on May 25.

Chris Lewis is a technical evangelist at Connexica. Connexica can help with expertise and industry-leading data discovery software when it comes to GDPR compliance.

Some companies with shipments of export cargo and import cargo in international trade to Europe will need to comply with GDPR.

GDPR – What’s Going On And Why Should I Care?

Unless you’ve been hiding under a rock or you’re one of today’s lucky 10,000 to be hearing about it for the first time, the EU General Data Protection Regulation hype train is reaching full throttle and organizations across the world are engaging panic mode as the compliance deadline looms ever closer.

For those that are lucky enough not to have encountered GDPR yet, what is it all about and why should I care?

GDPR has been under draft by the European Commission since 2011 and organizations are required to be compliant when it goes live on May 25, 2018. With over 3,000 amendments since the first draft it is officially the most heavily lobbied piece of legislation ever, and the completed regulation is over 200 pages long.

GDPR largely extends the UK Data Protection Act of 1995 and clears up some definitions that were ambiguous or out-of-date for the modern world. Indeed, in 1995 only 30 percent of us had access to the internet, compared to 98 percent of some generations carrying an internet-ready computer in our pockets in 2016.

GDPR is a regulation which means that it overrides any local law in any EU member state. This is different to a directive which would still have to go through local governmental processes e.g. parliament before becoming law.

No ifs, no buts, if anything of the following applies to your business, you have to comply:

  • Organizations within the EU

  • Organizations that offer goods and services to EU residents (including free services such as Facebook)

  • Organizations that monitor the behavior of EU residents (e.g. targeted advertising companies)

In short – every organization in the EU that processes or uses data in any shape or form, or outside of the EU that offers online services to EU citizens.

GDPR has an exhaustive list of requirements for organizations to comply with that can be summarised around the following areas:

  1. What data is considered ‘personal’
  2. How personal data should be processed and controlled, and for how long

  3. What data security controls organizations should have in place in regards to personal data

  4. What rights data subjects have in regards to their own personal data, and how those rights should be enforced

The specifics can get pretty complex and there are a number of organizations already offering accreditation courses for privacy professionals to get up-to-speed with the specific changes and how they might impact your specific business.

The biggest headline around GDPR though is not the rights given to citizens (though they are considerable and will make for some interesting reading once people start requesting data from Silicon Valley giants like Google…).

Instead, the main headline is the potential size of fine that can be imposed for non-compliance. GDPR states the maximum fine for non-compliance is either the greater of either €20 million or up to four percent of an organization’s worldwide annual turnover.

For Google that would mean a fine in the region of $3.5billion!

But no need to panic. We’ve got your back.

Chris Lewis is a technical evangelist at Connexica. Connexica can help with expertise and industry-leading data discovery software when it comes to GDPR compliance.