How to ensure GDPR compliance?
The European Union has a new data privacy law that will take effect on May 25, 2018: the General Data Protection Regulation or GDPR. The new law will add more accountability and responsibilities for businesses and will take better care of the rights of users. It also has more stringent restriction on the flow of data across borders.
It will affect all organizations that keep their users’ data and this includes financial services institutions, social networks, and telecommunications companies. It will also cover the data for users who are living within the European Union and the export of personal information outside Europe. As such, it will affect all organizations that collect data from citizens of the European Union.
The truth is, the new, more stringent, privacy laws will have more provisions that you would need to follow. But the good thing is that all companies will stand to gain more trust from their customers when they comply with the General Data Protection Regulation as it communicates that the company is taking care of user data better. It might also be an opportunity for companies to refine, improve, and expand their products and services offerings.
More challenges can lead to more opportunities
It is a well-known fact in investing that the riskier an investment is, the greater the returns. The same is true with GDPR.
GDPR has put data governance into hyperdrive and non-compliance can cost you a lot. If you choose to ignore GDPR laws, you could be facing legal action, or even fines of up to 20 million euros or 4% of your global annual revenue. It does not matter where your headquarters are, as long as you have customers who are from the European Union, then you should comply. You also need to make sure that your vendors, suppliers, and service providers comply with GDPR as well.
If you think that the hefty fines may have scared companies into complying quickly, a Guidance Software survey conducted last year showed that around 24% of business predict that they will not be able to meet the deadline, which is more than a year before the GDPR was to take effect.
They also reported that close to half (43%) of businesses that earn revenues of at least $1 billion already had processes that would identify the data records of an EU resident. They are also able to know where that particular data is processed. For businesses with up to $100 million in sales, that number drops to 26.8%
What are the four things that you should do or should have done to ensure compliance?
- Create procedures and policies that would anonymize personal data.
- Make a comprehensive audit of personal data coming from citizens of the European Union.
- Use cloud repositories that use encryption standards set forth by the European Union.
- Evaluate and review your third-party suppliers who handle or do personal data transfers.
Some things that are worth mentioning
1. Telcos have it good.
Telecommunication companies are lucky to have a head start because of Payment Card Industry Data Security Standard (PCI DSS).
Telcos who follow this set of standards have been more or less GDPR compliant since 2016. There are differences, of course, such as PCI DSS is more concerned about cardholder information while GDPR is more focused on personally identifiable data. However, both deal with data protection. PCI DDS also uses the same security and segmentation processes and technology that you are going to use for GDPR.
What you need
To comply with GDPR, you would need infrastructure that is inherently secure, scalable, resilient, and agile. It would also need a lot of processing power.
Oracle Exadata is perfect for this scenario. Oracle Exadata gives you an integrated infrastructure that is secure by design. Every component is co-engineered, so performance is unimpeachable.
Oracle Exadata can also separate the compute and storage nodes. This will help you meet both PCI DSS and GDPR requirements as well.
2. Cloud computing is not always the best solution to your GDPR worries.
Cloud computing gives you a scalable and flexible roadmap for GDPR compliance. A public cloud provider would give you round the clock security monitoring and improvements. You are also able to add security protocols and technology without needing to bother your IT trying to convert legacy applications into cloud-based apps.
However, cloud computing may not always be ideal for some businesses. For one, there are issues of data sovereignty and data governance. You also need to consider latency issues.
What you need
If you are having second thoughts about using cloud to pave the way to GDPR compliance, you should consider Oracle’s “Cloud at Customer” service. This offering allows you to get a public cloud environment as a service. You can have all the benefits of cloud computing, but not the latency issues. Plus, you can be sure that you have secured your data and conformed to regulatory compliance.
Case: AT&T uses Cloud at Customer to help it manage its mission critical databases that number more than 2,000. AT&T realized that their current private cloud would not be enough, it didn’t give them the performance they would have liked to see. But a public cloud is out of the question because regulatory, security, and privacy policies prevented them from getting the data out of their premises.
With Cloud at Customer, AT&T was able to access the very same infrastructure that Oracle itself used. But the infrastructure was located in the telco’s own facilities. That’s 2,000 of the telco’s biggest databases; that is up to 100 TB in size.
* * *
Some companies might balk at the sheer amount of work that they have to do to ensure compliance, but complying with GDPR would also communicate to customers that they are serious about data protection; thus inspiring trust. Data consolidation is also one of the activities involved with GDPR, and this would help you get better insights, better data that could be analyzed.
If you think that GDPR is a pain to comply with, then you should really think about what would happen if there is unintended data exposure.
Photo courtesy of Dennis van der Heijden (Flickr).