Getting ready for GDPR; where to start and how do you set yourself up for compliance success?

Rather a like the deadline for submission of the dreaded tax return, the 25th May 2018 has loomed on the horizon for many as a date by which you will complete something….but not just yet.  It’s a long way off.  But exactly five months from Christmas,  GDPR will become a reality.  And with it comes a fundamental change to the way that we manage and distribute data.  As everyone knows by now, it is not a 'nice to take notice of' initiative; it is a ‘must comply with' piece of legislation.     

In a nutshell, GDPR provides greater data protection to all EU citizens, giving them more control over their personal data. The result of four years of discussions, GDPR empowers EU citizens with several new rights, including the ability to access and withdraw their personal data, for increased security. 

But here's the challenge; because it is such a significant shift in the way that any business that has data at its heart operates (and which business today doesn't rely on data for all it does?), the challenge to comply is seemingly formidable.  As a result, many businesses appear stuck in 'analysis paralysis', incapable of implementing simple strategies to meet the GDPR challenge.  How can you break through that paralysis?  How can you get started on the path to compliance?  In short, where do you start?     

Let’s, for a second, remind ourselves of the driver behind the introduction of GDPR in the first place.  It’s really, at the most foundational level, about stopping the misuse of personal data by organisations who may be tempted to use that data to engage in intrusive, unwanted marketing activities.  We have all suffered such targeting and we all know how annoying it is.  So, one of the key tenets of GDPR will be that it requires organisations to prove that any data they are holding on anyone is necessary to the running of their business, rather than being held for the kind of marketing activities I’ve just outlined.  Within every business, there are obviously many different and disparate data streams making it tough to create an easily auditable view of the data and, therefore in turn, prove why it is essential to the running of the business.    

To give you an example, let’s imagine you are a retailer and it is found that, at the point of purchase, the till is scanning the colour of peoples' eyes as they pay.  You'd have to explain why you were doing that.  Perhaps you are an optician and have a legitimate reason for capturing this data, as it helps you provide better aftercare to your customers.  Or perhaps you were planning on earning some money on the side by selling that data to third-party companies (eg: people with green eyes are most likely to buy chocolate).  But even if your reasons are entirely honourable, as per the optician example, you still need to be able to explain your data processes downstream from the till to ensure that, if you were checked, you did indeed comply with GDPR.     

This example confirms that, however you are collecting data, post May 25th next year, you have to be prepared for it to be both identifiable and auditable as well as accessible upon request.  Now, the only way to effectively ensure this is the case, is to create a kind of map of all the data in your firm, identify where a particular piece of data sits, tag it and, in order to satisfy ‘access upon request’  requirements, you need to either store it somewhere with extract capabilities or be able to build those extract capabilities quickly.  In addition, you must be able to explain the purpose of that data. You must be able to show that your business is built on requiring that information and, most critically, you have to show that people have opted IN to you having their data.    

And that, my friends, is one time-consuming task.    

Moving forwards, data will have to be both identifiable and auditable, which sounds daunting, but there are products out there that can help and automation software is a good place to begin your search.  On a proactive basis, data infrastructure automation software can go off and discover data areas and tag areas of concern.  It can be used to map out all data systems within the organisations, providing a really effective means of auditing and cataloguing data.  And on a reactive basis, if ever you are asked to prove anything about a particular piece of data, or to pull multiple trails together quickly for an export request, again, data infrastructure automation software can supply a full lineage of that data trail.  With the ability to define an extract that pulls together all data related to a particular person from all areas across the business in less than 30 days, there is no need for the user to build these extractors in advance, and they can be re-used the next time someone asks.  

Even better, when capabilities like these are combined, data infrastructure automation software can retrospectively go out and catalog all of your data, and easily enable complex data extraction.  Building new analytics capability within your organization with automation software - such as WhereScape - can help you rapidly ensure your compliance with GDPR requirements.    

Complying with GDPR represents significant challenges to all businesses.  But the first, and most important step is to quickly get to a point where you can both identify and audit your data.  From here, the roadmap to GDPR compliance will suddenly look a lot clearer.     

Rob Mellor, VP and GM EMEA, WhereScape 

Image Credit: Wright Studio / Shutterstock