TDWI | Training & Research | Business Intelligence, Analytics, Big Data, Data Warehousing

General Data Protection Regulation Compliance: What You Must Do Now

Time is running out to prepare your enterprise to meet GDPR's requirements.

• By William McKnight
• April 23, 2018

If you deal with the personal information of anyone in the European Union (EU), you probably already know that as of May 25, 2018, you will face stiff penalties for violating any of the provisions of the General Data Protection Regulation (GDPR). If your enterprise fails to comply with GDPR's data security obligations, you'll face penalties of 2 percent of your worldwide annual revenue or 10,000,000 euros. If you're found to be in breach of other provisions of the GDPR, the fine may rise to 4 percent. Currently, no evidence exists that latitude will be given for violations.

For Further Reading: GDPR Forcing Organizations to View Data Strategically Enterprises Facing New, Stringent Privacy Regulations Your Choices for Data Governance Are Growing

GDPR applies to all companies doing business with personally identifying information (PII) from EU citizens. This includes the U.K., which is still in the EU through March 29, 2019, and has indicated that something similar to GDPR will continue afterward because it is a good idea. GDPR provisions do apply to U.S.-based companies that do business in the EU.

Clearly, GDPR is serious business. Large companies will easily spend millions of euros to comply. GDPR requires organizations to inventory the information they generate or receive, who has access to the information, and where the information is stored. Its provisions include:

• Data protection standards that all but dictate encryption of data at rest
• Data breach notification standards require enterprises to send notifications within 72 hours of a breach
• Requirements that companies have auditable processes to monitor the location and quality of EU citizen data including naming individuals accountable
• EU citizens have the "right to be forgotten" -- that is, the right to request all of their data, except core data required to continue to run the business, be obliterated from company data upon request
• Parental consent before companies can process the personal data of children under 16 years of age
• If a company's core activities consist of processing that requires regular and systematic monitoring of individuals on a large scale or is about special categories of data on a large scale or about criminal convictions and offences, a company must appoint a data protection officer (DPO)

Fortunately, there is an active, well-heeled discipline that, when mature, can and does address most of the GDPR requirements. That discipline is data governance. Governance programs should have a data glossary as a foundation to serve the inventory needs of GDPR. The program should facilitate the data security protocols and should be the go-to response force that can be mobilized in the event of a breach. Stewards should be assigned to all data elements so they can provide input to your governance program.

Also consider data architecture in your GDPR compliance efforts. If you are a U.S.-based enterprise with EU operations, you will have to consider whether to apply the data protection standards to all data or just EU data. You may have to "wall off" EU data from U.S. systems if you cannot vouch that your U.S. systems will handle the data appropriately. This may result in more localized analytics or possibly muted analytics due to the removal of key PII data from the data set.

To avoid hefty fines, your enterprise must embrace sound business practice as a result of your governance program. Some enterprises will have to bring their program up to speed. Those companies that have already invested in strong data governance will see a much more muted budget impact for compliance.

If you have not established your GDPR board, hired your DPO, inventoried your data and processes, and built a remediation plan (or start-up plan) for data governance, you need to move quicker than you would like to meet the deadline. You also need to begin hoping you are not in the early list for audit, or worse, the victim of a breach.

From my observations, U.S.-based companies are not taking GDPR seriously enough. The time to act is now.