GDPR reminds me of the chaos and misinformation surrounding the millennium bug (arguably self-generated by the IT industry in the late 90’s.) Those of us who can remember that far back will recall “Crying wolf” did tremendous damage to the status of IT within the Business.
I am not saying GDPR compliance will be quite such a damp squib as the millennium bug turned out to be. But at the same time, I don’t expect to see the majority of UK, European or global companies being fined millions of euros on the 25th May 2018 for breaching the terms.
Whilst GDPR may not quite be the impending doom scenario many industry pundits are touting, I do firmly believe businesses should be preparing for GDPR, and not burying their head in the sand.
How will GDPR compliance affect my business?
This was a common question from clients during my time as a research director at Gartner Inc. Another key question was, “How do I begin to prepare for GDPR?.”
When I joined OCSL last year, I was pleasantly surprised in their pragmatic approach to helping organisations tackle this impending regulation. They are using their own GDPR Enablement Framework and toolsets from partners like Microsoft and Commvault.
But let’s not get ahead of ourselves, I will discuss how OCSL can help you in detail a little later. To cover off the basic questions like “What is GDPR?”, “How will Brexit affect GDPR and what is DPA 2017?” and “How will GDPR affect my organisation?” please download my
Where to start with GDPR?
Readiness levels vary greatly in different organisations. If you haven’t defined your plan, it’s important to get started now to be compliant by the May 2018 deadline.
To some organisations this might seem like a Herculean task. Data is usually dispersed across many different applications, systems and platforms. This includes production, business intelligence (BI) and analytics, test and dev applications, secondary storage systems for backup and disaster recovery (DR) purposes and both on-premises and cloud-based applications. With this vast variety it can be hard to determine where to start.
This is where OCSL can help organisations prepare for GDPR and DPA 2017 using our Enablement Framework.
The OCSL Enablement Framework begins with organising the team needed to achieve GDPR / DPA 2017 compliance.
Identify who needs to be involved
This first phase should be run as a project and must include executive sponsorship, IT representation and the following business roles;
- GDPR defines several roles that are responsible for ensuring compliance: data controller, data processor and the data protection officer (DPO). The data controller defines how personal data is processed and the purposes for which it is processed. The data controller is also responsible for making sure that outside contractors comply.
- Data processors may be the internal groups that maintain and process personal data records or any outsourcing firm that performs all or part of those activities. The GDPR holds processors liable for breaches or non-compliance. It’s possible both your organisation and processing partner, such as a cloud provider, will be liable for penalties even if the fault is entirely on the processing partner.
- GDPR requires the controller and the processor to designate a DPO to oversee data security strategy and GDPR compliance. Organisations are required to have a DPO if they process or store substantial amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority. Some public entities such as law enforcement may be exempt from the DPO requirement.
Next, assess where personal data is stored
Good data management practices are key to GDPR compliance success. Assessing where you have personal data (in which applications, on-premises or in the Cloud, which processes use this data, and who owns it) is a critical second step within the framework.
OCSL’s expertise in managing data over the last 3 decades can help you quickly identify where data is held and who is responsible for it.
The fragmentation of data stores makes it very difficult to get an overview of data and manage data efficiently.
Using a consolidated data management platform helps you understand your data landscape, define and drive policy across your data estate (both on-premises and in the Cloud), and of course meet the new requirements for data access, data erasure (right to be forgotten [RTBF]), and data portability.
In my next, and final part of my GDPR series, I’ll walk you through:
- The remaining steps within the OCSL Enablement Framework
- Toolsets and procedures to make GDPR and DPA 2017 preparation simple
- How to test to ensure you are prepared for any non-compliance or data breach
In the meantime, if you have any questions relating to my post or your IT strategy in general, please do not hesitate to get in touch.