If you deal with the personal information of anyone in the European Union (EU), you should know by now that on May 25, 2018, you will face stiff penalties for violating any of the provisions of the General Data Protection Regulation or GDPR. The penalties are 2% of worldwide annual revenue or 10,000,000 EUR If a business fails to comply with its data security obligations. If a company is found to be in breach of other provisions of the GDPR, the fine may be 4%. Currently, no evidence exists that latitude will be given for violations.
GDPR is serious business. Large companies will easily spend millions of Euro to comply. GDPR requires organizations to inventory the information they generate or receive, who has access to the information and where the information is stored.
Fortunately, there is an active, well-heeled discipline that can, and does, when mature, address most of the requirements. That discipline is Data Governance. Governance programs should have a data glossary as foundational to serve the inventory needs of GDPR. The program should facilitate the data security protocols. It should also be the go-to mobilizable responding force in the event of a breach. Stewardship should be assigned to all elements to provide input to the above.
Also consider data architecture. If you are a US-based company with EU operations, you will have to consider whether to apply the data protection standards to all data or just EU data. You may have to “wall off” EU data from US systems if you cannot vouch that the US systems will handle the data appropriately. This may result in more localized analytics, or muted analytics resulting from the removal of key PII data from the data set.
If you have not established your GDPR board, hired your DPO (EU), inventoried your data and processes and built a remediation plan (or startup plan) for Data Governance, as you read this, you will have to move quicker than you would like to make the deadline. You will also need to begin hoping you are not in the early list for audit or worse, that a breech occurs. By my observation, US-based companies are not taking GDPR seriously enough. The time to act is now.
For a decade, MCG has delivered the expert strategy and implementation services needed to get the most out of Data Governance.
The MCG GDPR Accelerator helps organizations setup Data Governance tailored for GDPR compliance.
We utilize smart data discovery products to locate sensitive data and relationships across the enterprise, register data processes and data flows and catalog all sensitive data. In addition, we setup Data Governance for initiatives support and the promotion of data. This includes:
Listen to William and other experts on this important subject on DM Radio: Batten Down the Hatches: Here Comes GDPR.