Post Published On: June 3, 2018
GDPR is intended to harmonize the governance of information that relates to individuals (“personal data”) across European Union (EU) member states. According to findings from The Veritas 2017 GDPR Report, almost half (48 percent) of organizations that stated they are compliant do not have full visibility over personal data loss incidents. Moreover, 61 percent of the same group admitted that it is difficult for their organization to identify and report a personal data breach within 72 hours of awareness – a mandatory GDPR requirement where there is a risk to data subjects.
Veritas’ research also found that there is a common misunderstanding among organizations regarding the responsibility of data held in cloud environments. Avoiding stringent regulatory penalties and fines is clearly a driver for improving an organization’s compliance position but many companies also see major business benefits that go well beyond avoiding such sanctions.
Veritas research shows that almost all businesses (95 percent) see substantial business benefits to achieving GDPR compliance. GDPR certainly creates a potential new risk for Middle East organizations but also an opportunity to develop good data governance and management practices. The fundamental requirement of good data governance is visibility and classification but to comply with GDPR, organizations must be able to locate, search and minimize the amount of personal data held, as well as protect and actively monitor this data.
Veritas recommends five steps to GDPR compliance:
Locate: The critical first step in complying with GDPR is gaining a holistic understanding of where all the personal data held by your organization is located. Building a data map of where this information is being stored, who has access to it, how long it is being retained, and where it is being moved is critical to understanding how your enterprise is processing and managing personal data.
Search: Residents of the EU can now request visibility into all of the personal data held on them by submitting a Subject Access Request (SAR). They can also request that the data be corrected (if factually incorrect), ported (to a suitable export format) or deleted. Ensuring that the organization can undertake and service these requests in a timely manner is critical to avoiding GDPR penalties.
Minimize: Data minimization, one of the main tenets of GDPR, is designed to ensure that organizations reduce the overall amount of stored personal data. This is done by only keeping personal data for the period of time directly related to the original intended purpose. The deployment and enforcement of retention policies that automatically expire data over time establishes the cornerstone of any GDPR strategy.
Protect: Under GDPR, organizations have a general obligation to implement technical and organizational measures to show they have considered and integrated data protection into all data collection and processing activities.
Monitor: GDPR introduces a duty on all organizations to report certain types of data breaches to the relevant supervisory authority, and in some cases to the individuals affected. You should assure that you have capabilities in place to monitor for possible breach activity – such as unexpected or unusual file access patterns – and to quickly trigger reporting procedures.
Technology has a vital role to play in GDPR compliance. For example, Subject Access Request (SAR) preparedness is a critical component of any GDPR compliance strategy and a compliance culture. Veritas’ eDiscovery Platform directly addresses these challenges by helping organizations quickly pinpoint personal data and review it to assess what personal data should be disclosed and what may be lawfully withheld.
In addition, the eDiscovery platform delivers a response package electronically that sufficiently addresses the GDPR’s SAR requirements so businesses can help ensure regulatory compliance, avoid massive fines, and mitigate reputational damage. Combined with the Veritas Classification Engine the platform delivers powerful intelligence into data risks on-premises and in the cloud. The Platform also enables enterprises to adhere to SAR requests by locating where PII exists across their entire organization and driving actions that help appropriately retain or delete this data, when necessary. This innovation is critical in helping organizations adhere to mandatory compliance guidelines under new regulations, such as GDPR.