This past week I was in the Nordics talking to customers from Sweden, Norway and Finland, about Data Governance. This is a topic of high interest due to a new EU regulation around data privacy which is due to be implemented by May 25, 2018. This regulation, known as the General Data Protection Regulation (GDPR) was adopted by the EU in April 2016, While it is an EU regulation it applies to any organization, regardless of location, that acts as a controller and/or processor (service provider) of personally identifiable information of EU residents and so it has a global impact and a very short window for compliance. The primary objectives of the GDPR are to give back to EU citizens, the control of their personal data. Key points include the need for consent to use personal data, transparency in the use of personal data, the individual’s right to be forgotten (erasure of personal data), the need to protect that data, and the requirement to notify individuals in the event of a breach. Sanctions include a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater. A penalty of this magnitude would bankrupt most companies!
Europe has led the way in terms of protecting the privacy of individuals. The EU published a Data Protection Directive back in 1995 and concepts like “the right to be forgotten” originated in Europe. This directive will be replaced by GDPR which is now a regulation that will result in more consistency across countries. GDPS is more prescriptive, and is updated to include “processors” such as cloud service providers, and will have a global impact. While some highly regulated sectors like financials and health care are already budgeting for GDPR and assigning resources to prepare for compliance, surveys show that most companies are still in a wait and see mode despite the very short window for compliance.
My experience last week in Sweden with a few Nordic customers confirmed this. The customers that I talked to were data center and IT service providers and GDPR was not high on their current agenda. One customer told me that the business units are responsible for content, and privacy was not the concern of IT. Most felt that someone else in the organization should be looking out for this and IT would just be the implementers. In my view, GDPR is all about storing, searching, cleansing, analyzing, protecting, reporting and scrubbing data, and IT should be the experts in knowing how to implement technology to do this. Therefore, IT needs to be proactively advising the business units on how they can prepare for GDPR. Otherwise the architects and developers in the business units may be reinventing functions or capabilities that IT may already have or could be doing better with the right choice of IT technology.
One customer from a service provider who had been working on a healthcare information project using HCP, Hitachi Content platform, recognized how HCP could be used for GDPR in other application areas. Applications may not need to be revised for data privacy if it can be implemented by enabling features in the IT infrastructure. He commented that we need to educate the business units on what can already be done with our content platform and our content search and analysis capabilities in HCI (Hitachi Content Intelligence) solution. We will be working with this organization’s IT to get the message to the other constituents in the organization.
Hitachi Data Systems offers its customers a proven technology and services product line that addresses legacy and contemporary data formats and use cases to address governance and compliance requirements. We have been very successful in this space. These products include robust feature sets that already offer support for many of the world's most stringent governance and compliance requirements.
- Hitachi Content Platform was originally launched (2007). Throughout the following years, HCP has been extended and adapted to support new regulatory requirements across the world, as well as new use cases, storage product integrations, and secure hybrid clouds with a choice of leading public cloud storage service providers. These deployments often require a high level of resources sophistication to navigate various networking, data protection and accessibility requirements. The addition of Hitachi Content Intelligence, delivers comprehensive enterprise search based on a centrally managed and standardized intelligence platform to address how data is managed, explored, understood, and acted on regardless of its type or location, content search and analysis, Thus, there is no reason to believe that HDS, with HCP and HCI, will not be capable of complying with GDPR requirements when the regulation goes into effect.
- Hitachi Consulting supports customers across a wide array of esoteric use cases and requirements. Extending the scope of its services to include expertise with respect to GDPR, and the assessment of IT environments for compliance with GDPR, is well within the capabilities of the organization.
- Hitachi Data Systems Global Solutions Services provides professional services and experienced personnel that integrate our entire content portfolio including HCP, HDI (Hitachi Data Ingestor), HCP Anywhere, and HCI in any environment – including tightly regulated environments. Discovery, Planning, and Transformation services for these products includes migration, application integration, planning & design, implementation & configuration, and solutions architecture. GSS also provides services for ongoing management and operation of customer content environments using remote services, residency, or managed services to meet customer needs.
IT departments should become familiar with the data requirements for GDPR, and be proactive in working with the business units in defining the infrastructure for compliance. Here are some references on GDPR:
- REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT
- ComputerWeekly.com EU data Protection: Essential guide
In my next post I will cover the features in our content portfolio that will help organizations support the requirements for GDPR.