GDPR is fast approaching – May 25, 2018. And the implications for big data are, well, big.
Essentially, GDPR is a regulation intended to strengthen and unify data protection for all individuals within the European Union, and it applies regardless of where the company is located. Whether you're located in the US or Thailand, if you do business with EU residents, you are subject to GDPR.
Penalties for non-compliance can be steep, and companies worldwide are scrambling.
Here's some of the impact GDPR can have:
Have you done all you can to address GDPR?
Fully addressing GDPR compliance requires a coordinated strategy involving different organizational entities including legal, human resources, marketing, IT, and more.
You’ll want to implement the right technology with effective security controls to:
GDPR will include key requirements that directly impact the way organizations implement IT security.
In particular, to protect and secure personal data it is necessary to:
Unfortunately, it’s not really possible to just buy a GDPR-compliant product and call it done. Because GDPR is really more about security processes and managing risk, there isn’t truly a product that will solve all of your problems. What you’ll have to do is ensure that your solutions work together to be truly GDPR compliant.
This can get complicated. So here is Oracle’s solutions framework for addressing GDPR. We'll go through the four steps to GDPR compliance.
The ability to monitor, enforce, and report on compliance to GDPR will be essential. You'll need clear insight into how data is coming into your organization, what happens to it, and how it leaves the organization.
For that, you’ll need data governance that provides capabilities such as data lineage, asset inventory, and data discovery. The more data is being reused without proper data governance, the greater the risk of data-handling mishaps. Choose your tools wisely to help with your data governance.
To learn more, download our free whitepaper, “Addressing GDPR Compliance Using Oracle Data Integration and Data Governance Solutions.”
You may need application modifications to comply with the rights of the data subject (people like you and me). This can be a major challenge, as all personal information can come in many different formats and types, and can be stored in various locations and held in different forms such as voice recordings and video.
In addition, because individuals can request all information about themselves, it must be possible to dynamically handle and automate a potentially large number of these requests—and delete the data, with GDPR’s “right to be forgotten.”
You might also need to consolidate customer data to get a single view of the data subjects across the organization. If an organization can’t identify all personal information that belongs to an individual, that would be an indication that they don’t have appropriate control over their personal information – which can be a red flag to regulators.
You want good IT security with an emphasis on availability and performance of the services. That’s because you don’t know when your system will be tasked with pulling information, and how much at once. You’re also going to be responsible for the ability to restore the availability and access to personal data in a timely manner if there’s been a physical or technical incident.
Here's what you'll have to think about too: encryption will be more important than ever. Ensure you have detailed application-to-storage mapping so any application can be mapped to the physical storage it uses.
You’ll need technologies that can protect people, software, and systems. This includes products and services that provide predictive, preventive, detective and responsive security controls across database security, identity and access management, and much more.
It’s a common misperception that GDPR lists out specific technologies to be applied. But actually, it’s more that GDPR holds the controller and processor accountable, and requires that they consider the risks associated with the data they handle and adopt appropriate security controls.
For enforcement, here are the four groups that encompass the basic security measures that organizations should consider implementing.
Overall, GDPR addresses the key security tenets of confidentiality, integrity and availability of systems and data.
So that’s a lot to do. But look at the positive. Some companies view this as a once-in-a-generation chance to truly take a look at their data management and transform it according to general best practices. Data volumes have exploded in the last ten years, and many are working with outdated architectures that haven’t been optimally built. This may be your chance to do something about it and with GDPR looming, it just might be easier to get executive support.
It’s also a chance to take a second look at your tools. GDPR requires higher and more robust reporting and auditing structures so your organization can respond to any Data Protection Authorities and individuals who may have questions. So if there’s any tool you’ve had your eye on previously, now’s your chance …
GDPR is not likely to be the only data regulation your organization will have to address. There are multiple laws out there, and the laws are going to change. These laws and regulations are going to be intended to protect citizens, the economy, government, and more. With data breaches and cyber security incidents on the rise, it’s likely this will continue to be an issue.
Consider future-proofing your data, and getting it right now to avoid more headaches (and potentially bigger headaches) in the future.
This might also be the perfect time to think about the cloud for your data. Your data is going to have to be:
At the same time, you’re going to have to understand your internal controls, infrastructure and data architecture in addition to that of any external partners or service providers. The liability of new regulation is going to fall on all parties. This just might be easier if you switch to a cloud or hybrid solution. And it could lead to reducing costs and risks.
Don’t underestimate the length of time it will take to align with GDPR. Remember, it’s not that you should start on May 25 – that’s the date you’re supposed to be compliant. At Oracle, we’re committed to helping organizations with GDPR. Talk to us if you have any questions or would like to learn more about how we can help.