Information Technology

Preparing for GDPR

Karam: GDPR will affect every company that sells to the EU

A global survey of over 900 businesses across Europe, the US and Asia Pacific revealed that 86 per cent of organisations worldwide are concerned that a failure to adhere to the upcoming General Data Protection Regulation (GDPR) will have a major negative impact on their business.

The GDPR is due to come into effect on May 25, 2018 when governments across the European Union (EU), including the UK, will enact the most stringent data privacy regulations yet imposed.

The research, commissioned by global software company Veritas Technologies, suggested that the potential impact of the GDPR is creating serious concerns among businesses both in Europe and further afield.

The GDPR will impact any company – including those outside the EU – that hold personally identifiable information (personal data) on EU citizens. For the Middle East – it simply means that those organisations which handle the personal data of EU residents now must be compliant with the new regulation. After all, the EU was the top trading partner in 2015 accounting for 16.6 per cent of its total trade, followed by China (14.9 per cent), India (9.4 per cent) and Japan (8.6 per cent).

Johnny Karam, vice president- Emerging Market, Veritas tells Gulf Industry how GDPR will impact the Middle East-based companies and how they should meet the potential compliance challenges. Excerpts:

 

How will GDPR impact the Middle East-based companies?

GDPR is intended to harmonise the governance of information that relates to individuals (“personal data”) across the EU member states. It requires greater oversight of where and how personal data—including credit card, banking and health information—is stored and transferred, and how access to it is policed and audited by organisations. GDPR will not only affect companies within the EU but also extend globally, impacting any company that offers goods or services to EU residents, or monitors their behaviour, for example, by tracking their buying habits.

There is now less than one year to go until the EU enacts the GDPR on May 25, 2018. GDPR will impact any company in any industry sector in the Middle East that sells goods or services to any of the EU member states, or handles any of the data of its half a billion residents. These companies must develop a strategy and processes to abide by the new data privacy regulation.

 

Which sector will be the most affected? What kind of companies will need to comply with the new legislation?

GDPR will affect every company, every sector that sells to the EU. For GDPR specifically, businesses must keep auditable records of processing of personally identifiable information (PII), which is a key requirement of the GDPR under the new principle of Accountability.

To process personal data in a GDPR-compliant way, an organisation needs to precisely know where this data is stored and what it is. Unfortunately, most organisations have an average of 54 per cent dark data – according to a Veritas study. If you don’t know what data you hold and where it is, you simply can’t comply.

In the UAE, for example, a Veritas study found a typical UAE organisation reports Dark Data rates of 49 per cent (against EMEA average of 54 per cent), ROT  (Redundant, Obsolete, Trivial files) levels of 43 per cent (EMEA averages 32 per cent), leaving just 8 per cent (EMEA average of 14 per cent), of identifiable business critical data. Regardless of the requirements of GDPR, this equates to wasted corporate resources of up to an estimated $89 trillion in EMEA by 2020, if companies don’t change their strategy and culture around information management.

 

What should be the approach to GDPR compliance from the GCC companies?

Get to grips with your ‘Databerg’: Compliance teams also need to know if the personal data goes outside the European Economic Area so they can put the right data transfer agreements in place to ensure that the transfers are lawful. And they need to be able to assess whether it’s still needed, and delete it if it’s not to comply with the principle of Storage Limitation.

To achieve this: Interview employees to understand how they obtain, use and disclose personal data. Do this in combination with a review of the way your systems process personal data, and reconcile the two. This is the basis of your auditable processing record, and a map that will guide you when you review your data management policies and processes to bring them into line with the GDPR

Use technical tools to gain insight into the dark data that you already hold, both content and location; Veritas has a suite of tools that will help you do this, and re-connect the data that’s stored with the business that owns it. Most businesses have a blind spot when it comes to dark data, but it’s costly to store and after 2018 failure to manage it could attract a fine.

Delete what you don’t need, and formulate policies and procedures that will prevent the Databerg re-accumulating.

 

Can you outline the key steps that organisations should take to set up a successful GDPR compliance programme?

These are the five steps to GDPR compliance:

Locate: The critical first step in complying with GDPR is gaining a holistic understanding of where all the personal data held by your organisation is located.  Building a data map of where this information is being stored, who has access to it, how long it is being retained, and where it is being moved is critical to understanding how your enterprise is processing and managing personal data

Search: Residents of the EU can now request visibility into all of the personal data held on them by submitting a Subject Access Request (SAR). They can also request that the data be corrected (if factually incorrect), ported (to a suitable export format) or deleted.  Ensuring that your organization can undertake and service these requests in a timely manner is critical to avoiding GDPR penalties.

Minimise: Data minimisation, one of the main tenets of GDPR, is designed to ensure that organisations reduce the overall amount of stored personal data. This is done by only keeping personal data for the period of time directly related to the original intended purpose. The deployment and enforcement of retention policies that automatically expire data over time establishes the cornerstone of your GDPR strategy.

Protect: Under GDPR, organisations have a general obligation to implement technical and organisational measures to show they have considered and integrated data protection into all data collection and processing activities.                  

Monitor: GDPR introduces a duty on all organisations to report certain types of data breaches to the relevant supervisory authority, and in some cases to the individuals affected. Companies should assure that they have capabilities in place to monitor for possible breach activity – such as unexpected or unusual file access patterns – and to quickly trigger reporting procedures.

 

What considerations should businesses keep in focus throughout the process?

Information governance is a fast-growing priority for most organisations around the globe. As the countdown to GDPR compliance continues, organisations need a robust information management system in place to help ensure that business leaders know what information they have, where it is, how it can be accessed and who is responsible for it. By being prepared for GDPR, companies will manage data and information more effectively and benefit from increased agility and innovation of their IT systems.

 

In preparing for GDPR compliance, what are the challenges, companies and the region face?

Companies appear to be facing serious challenges in understanding what data they have, where that data is located, and its relevance to the business – a critical first step in the GDPR compliance journey. Key findings from the Veritas 2017 GDPR report reveal that many companies are struggling to solve these challenges because they lack the proper technology to address compliance regulations.

Almost one third (32 per cent) of respondents are fearful their current technology stack is unable to manage their data effectively, something that could hinder their ability to search, discover and review data – all essential criteria for GDPR compliance.

In addition, 39 per cent of respondents say their organisation cannot accurately identify and locate relevant data. This is another critical competency as the regulation mandates that, when requested, businesses must be able to provide individuals with a copy of their data, or delete it, within a 30-day timeframe.

There is also widespread concern about data retention. More than 40 per cent of organizations admitted that there is no mechanism in place to determine which data should be saved or deleted based on its value. Under GDPR, companies can retain personal data if it is still being used for the purpose that was notified to the individual concerned when the data was collected, but must delete personal data when it is no longer needed for that purpose.

 

The research highlights several countries are way behind their global counterparts in terms of GDPR readiness. Where does the GCC stand?

What we do know is that according to recent Veritas research, almost half of organisations globally (47 per cent) fear that they won’t meet GDPR requirements. While only 31 per cent of organisations consider themselves ready for GDPR.

In order to achieve compliance, the biggest challenge for many organisations globally is understanding what data resides in their complex IT environments, how to protect it and delete it from the network when requested or it’s no longer needed. According to Veritas research, 32 per cent of organisations globally do not have the right technology in place to cope with GDPR. With one year to go, organisations should look to establish a clearly defined governance strategy with data management tools at the core.

 

What kind of investment is required in GDPR compliance?

Companies need to be aware of the risks of prosecution and breaking the principles of GDPR, which could result in huge penalties of up to 4 per cent of global turnover or 20 million Euros ($22.36 million), whichever is greater.

Veritas’ research found that less than one third (31 per cent) of respondents believe their organisation is GDPR ready. For those working towards compliance, seven figure investments are the norm. On average, firms are forecasting spending in excess of $1.4 million on GDPR readiness initiatives.

 

SMEs are a major part of our economies and they are lagging in IT investments. How can companies address this in GDPR context?

GDPR extends right into the SME domain, affecting businesses with 250 employees or more. There is no doubt that many SMEs, without the benefit of a strong governance team, may find compliance a struggle and they will need access to qualified external professional support. A sensible next step would be to seek an advisory service that can check the level of readiness and build a strategy that ensures compliance. A failure to react now puts jobs, brand reputation and the livelihood of businesses in jeopardy.

 

Security is a key issue that worries firms when investing in technology. How can companies address this challenge?

The “Integrity and Confidentiality” principle in the GDPR requires that personal data be protected from loss, damage and destruction. It is therefore essential to make sure that the data is backed up, so firms can recover it. This may seem to be the easiest part in the overall GDPR conversation, but this task should not be underestimated. If companies do their Databerg analysis right, they are likely to find that their data is fragmented across different storage areas. They will find personal data stored on virtualised systems, multi-cloud infrastructure and other systems and locations from mobile devices to shared cloud storage services.

There are these best practices that will help to get a backup and resilience strategy in place that will cover these fragmented infrastructures:

• Establish a backup and recovery strategy that integrates physical, virtual and multi-cloud scenarios under one umbrella to make it easy to manage;

• Get insights into all existing cloud services and the data stored there and make sure you educate your employees about the right usage; and

• Establish a failover concept that will keep not only the access to the cloud services highly available, but also guarantee the resilience of the services themselves.