Rich Vining

EU General Data Protection Regulation: Research Notes and Analysis

Blog Post created by Rich Vining on Jul 12, 2017

I have been doing some market research on GDPR, and I’d like to share some of the more interesting things that I’ve learned. There is a lot of noise in the market about GDPR, and I don’t want to be repetitive, other than to say that GDPR is a very, very big deal as it impacts every organization, anywhere in the world, that handles the personally-identifiable information (PII) of residents of the European Union. The fines for non-compliance that will start being handed out by next summer will be truly devastating for many companies.

did you know 1.jpg

  • IT Governance, a training and consulting services company, recently conducted a survey on GDPR preparedness. Most of the 250+ respondents are IT Governance clients, and more than 75% are in the UK and other European countries. The findings of the survey show that these companies are not yet ready for GDPR, and are not investing in getting there:
    • Senior management has not been briefed on GDPR in 22% to 34% of organizations.
    • Ensuring the right level of competence and expertise is one of their biggest challenges (50.5%); most are assigning a Data Protection Officer from within their existing staff. Half of these have no relevant expertise.
    • Only 9.3% have provided GDPR awareness training to all employees; 73% have not provided any training yet.
    • The average budget for GDPR compliance is $6200. More than 50% do not have a budget allocated yet. Only 16% plan to spend more than $62,000.
    • 68% have not yet updated their processes.
    • There will be lawyers. 32% say they will rely on lawyers for compliance.
  • How to Prepare for the Enforcement of the EU GDPR in 2018. This webcast by Bizagi, a Business Process Management vendor, provides a good overview of the impacts of GDPR (why should you care?), the role of a Data Protection Officer (DPO), the integration of data and privacy protections (“privacy by design”), and this 10-point checklist on how to get started:

GDPR_10 Steps to Get Started.png

  • Europe's looming data protection rules look swell – for IT security peddlers. Information security spending in the EU is expected to increase by 16% this year.
  • Hand in your notice. By 2022 there will be 350,000 cyber-security job vacancies in EU. The GDPR rules concerning breach notification are helping to drive up the need, but there is little being done to develop new talent. Also, this does not include the tens of thousands of Data Protection Officers that are mandated by the GDPR.
  • UK General Election 2017: How EU law will hit British politicians' Facebook fight. GDPR will impact the way political parties process data on potential voters, as they target messaging in an attempt to swing their vote. Will the parties be able to prove they have the voter’s consent to do this?
  • Tackle the Big 3 of Information Governance. While many regulations dictate the data that must be retained for a defined period of time, GDPR dictates when PII data must be deleted. This webinar provides insights into data retention best practices.
    • Start with something that has meaning, that will add value.
    • The only people who care about information governance are those that have it as part of their job (records manager, risk manager); for everyone else, information governance needs to be automated and transparent to the way they do their jobs.
    • Focus on the value of information.
    • When designing retention policies, keep the “story” information that archivists will care about 100 years from now.
    • Interesting advice, which applies to a lot of important work: ‘How do you get it done? Don’t tell anyone you’re doing it.’
  • In Let the Countdown Begin, SureCloud describes and demonstrates their software platform for managing GDPR activities. In a survey that they conducted, they found “An alarming percentage of US-based companies were planning to reduce their presence in Europe or exit the European Union altogether rather than deal with the GDPR”. My opinions:
    • This makes perfect sense for companies that make a small percentage of their profits in the EU – why put up to 4% of your global revenue at risk due to a single GDPR violation?
    • GDPR will be a barrier to international trade with the EU. EU-based companies will be forced to comply, as that is where their main customer base exists. Non-EU companies will need to evaluate the potential risks against their potential profit, and decide whether to pull out of Europe. The public shaming of an enforcement action should also factor into the risk analysis.
    • Some people think that GDPR fines will be seen as a new revenue stream for some EU countries, especially those with severe budget problems.
    • Non-EU companies will naturally be the easiest targets, politically, for GDPR enforcement. Few EU jobs will be impacted if the fine puts the offending non-EU company out of business.

Whether to Stay or Go? If I have a small/medium US-based company that does 10% - 20% of its business in the EU, I would probably pull out of the EU. Not because the costs of compliance are too high – the rules make good business sense and I would want to implement them for all my customers. But because the risk of getting a fine that would put me out of business, even if it was a small risk because I am trying to comply, is unacceptable.

  • The Pseudonymization and Data Masking for the GDPR webinar by Imperva, demonstrating their Camouflage software product, focuses on the need to mask PII data. Pseudonymization is mentioned multiple times in the GDPR text, and it enables the use of copies of the data (e.g. database files) by functions that do not need the PII to do their jobs. Examples would be application developers and QA test engineers; they need a real-life copy of the data, but shouldn’t have a need for PII data.
    • Per GDPR Article 4(5), pseudonymization is defined as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information”.
    • The webcast included a good list of data protection principles (transparency, purpose limitation, minimization, accuracy, security, retention and accountability) and the following list of data types that are considered protected under GDPR:

  • The Data Sharing Economy webinar covers regulatory changes that are impacting the banking industry in the UK and EU, and points to the fact that GDPR does not exist in a vacuum.
    • In the UK, the Open Banking Standard goes into effect on 13 Jan 2018.
      • § Will make it possible for banks to share data to improve people’s banking experience. The data can be used to build useful applications and resources to help people find what they need, such as finding a mortgage more easily, match customers to a new product, or share data with their accountants. This, in turn, will improve efficiency and stimulate innovation.
    • In the EU, the Payment Service Directive 2 also goes into effect in January 2018. PSD2 aims to increase competition in an already competitive payments industry. It brings into scope new types of payment services, and enhances customer protection and security.
    • New personalized banking services (based on data analytics) vs. data privacy – success will depend on whether the consumer deems the service to be worth giving up their data.
    • GDPR might not have much impact on the banking industry for some time (years) as they are required to retain customer data well past when the relationship ends. Banks are also already very careful with their customer data.

 

Analysis

This research has helped me formulate that there are 3 distinct categories of GDPR compliance requirements: Business Processes, Data Governance, and Oversight. My high-level thoughts on each:

  • Process change requirements are going to be different for each organization, and approaching a consulting firm with experience in this area may be prudent. Key processes will include assigning and managing the data subject’s consent status for the PII data, including the intended use of the PII data and its retention period, as well as processes for handling the subject’s request for a copy of the data, to move the data or delete the data. A ticketing system may be useful here.
  • Data governance will depend on technologies that help to identify and process PII data in a way that supports GDPR requirements. For structured data types, such as database applications, it seems clear to me that the application owner will need to build in the required fields to enable search and eDiscovery. For unstructured data types, such as files, images and video, the use of a metadata schema is probably the best approach. This “data about the data” would include the relevant governance fields that enable easy search and discovery of PII data.
  • Oversight is all about the Data Protection Officer and his/her role between the organization and the governing Data Protection Authority. The DPO will need a management dashboard (or set of dashboards) to indicate compliance status and indicate areas for remediation or improvement. The DPO will also be required to prove compliance on request, using Data Protection Impact Assessments and process audits.

 

Another conclusion that I reached is that no single vendor is able to offer a comprehensive GDPR solution. An experienced consulting firm, such as Hitachi Consulting Corporation, can help to pull together the appropriate technologies for the individual requirements of each organization.

 

Of course, I am not doing this research for just personal fun and education. Hitachi is helping its large enterprise clients with GDPR preparedness in a number of areas. You can learn more from these webcasts:

 

One area we are focused on is data governance for unstructured data, using our highly-scalable, self-protecting object storage system (Hitachi Content Platform) and enterprise search platform (Hitachi Content Intelligence).

 

Another area of focus is “copy data management”. Having uncontrolled copies of sensitive data in your organization can be a real and present danger. Read my blog on how we help to reduce copy proliferation and the need for bad copy behavior: Overcoming the Risk that Redundant Personal Data Brings Under GDPR. Even more information and commentary is available on our Data Governance web site.

 

If you have any thoughts to share on any of this information, or have any questions, please use the Comments section below.

 

Rich Vining is a Sr. Product Marketing Manager for Data Protection and Governance Solutions at Hitachi Data Systems and has been publishing his thoughts on data storage and data management since the mid-1990s. The contents of this blog are his own.

Outcomes