Usually when any sort of new compliance and regulation regarding personal data comes out, it is automatically assumed to be solely ‘IT’s problem" because technology is such a huge component of the data collections and data processing system. But compliance is in fact an organization-wide commitment. No individual or single department can make the organization compliant.
If you've somehow missed the May 25th deadline, don't panic too much, you're not alone. But you do need to move quickly because there are clear areas where IT can add significant value in helping the organization achieve GDPR compliance a whole lot faster and more methodically.
1. Be a data champion
Organizations know how valuable their data is, but many departments, business units and even board members may not realize how much data they have access to, where it resides, how it is created, how it could be used and how it is protected. This is one of the main reasons why organizations are lagging; unclear oversight into where all personally identifiable data (PID) resides.
The IT department can play a clear role in helping organizations understand why data, and by extension GDPR, is so important and determine the best way to use and protect it. By helping educate the greater organization on what exactly GDPR is
and the ramifications of non-compliance will help influence a sense of urgency across the organization and ensure that everyone is moving quickly to comply.
In addition, GDPR is an excellent opportunity for IT to explore intergraded infrastructure technology and different approaches to data management that can help unify where and how PID is used and processed. Oracle Exadata is a complete engineered system that is ideal for consolidation and performance of the Oracle Databases that handle much of an organizations PID.
2. Ensure data security
GDPR considers protection of PID a fundamental human right, so organizations need to ensure they understand what PID they have access to and put in place appropriate protective measures. IT has a role to play in working with the organization to assess security risks and ensure that appropriate protective measures, such as encryption, access controls, attack prevention and detection, are in place.
In my previous post on the new regulations that the telecommunications industry is facing
, I mentioned that PCI-DSS compliance is being used as a basic guideline for IT to help achieve GDPR compliance. GDPR is unfortunately quite broad and not well defined, so the more clear demands on PID security so many companies are intelligently using that as a starting point. Engineered systems, including Exadata
, have gone under rigorous review to determine its compliance with PCI DSS V3.2
so customers can take care of at least the technological requirements of that regulation.
At a glance, Exadata features extensive database security measures to help customers protect and control the flow of PID: Perimeter Security, Defence in depth, Open Security by default, DB Scoped Security and ASM Scoped Security (CellKey.ora – Key, asm, realm), Infiniband, Open Security by default but particular gateways can be assigned to segregate the networks, Auditd monitoring enabled (/etc/audit/ audit.rules), Cellwall: iptables firewall, Boot loader is password protected. All of which align perfectly with many industry compliance strategies for GDPR that focus on: 1) Authentication, 2) Authorization, 3) Credential Management, and 4) Privilege Management.
3. Help the organization be responsive
GDPR requires organizations to not only protect personal data but also respond to requests from individuals who, among other things, want to amend or delete data held on them. That means that their personal data must be collected, collated and structured in a way that enables effective and reliable control of all this information. This means breaking down internal silos and ensuring an organization has a clear view of its processing activities with regard to personal data.
4. Identify the best tools for the job
GDPR compliance is as much about process, culture and planning as it is about technology. However, there are products available that can help organizations with key elements of GDPR compliance, such as data management, security and the automated enforcement of security measures. Advances in automation and artificial intelligence mean many tools offer a level of proactivity and scalability that don’t lessen the responsibility upon people within the organization but can reduce the workload and put in place an approach which can evolve with changing compliance requirements.
5. See the potential
An improved approach to security and compliance management, fit for the digital economy, can give organizations the confidence to unlock the full potential of their data. If data is more secure, better ordered and easier to make sense of, it stands to reason an organization can do more with it. It may be tempting to see GDPR as an unwelcome chore. However, companies should also bear in mind that this is also an opportunity to seek differentiation and greater value, to build new data-driven business models, confident in the knowledge that they are using data in a compliant way. Giving consumers the confidence to share their data is also good for businesses.
The IT department will know better than most how the full value of data can be unlocked and can help businesses pull away from seeing GDPR as a cost of doing business and start seeing it as an opportunity to do business better.