Where's Waldo and What Does IT Mean?
Thus, given the above constraints, enterprises need to know who created the data, what the data is called, its metadata (with many layers of attributes), its classifications, who uses the data, where the data is stored and for how long.
This requires tagging of the data upon initial entry and tracking the data through its life cycle, including all the archives, backups, and copies. It also means that the companies will need the ability to then inquire against the data, report on it to individuals and/or agencies, and delete it if required.
Complicating this further is the need to comply with legal hold and records retention requirements.
Furthermore, if the organization has utilized a SaaS provider and it has the data, then companies must ensure that the third party provider (and its subcontractors) also has the ability to comply with the individuals' requests. After all, the company is still accountable for compliance regardless of where the data is located and it will need attestation of said compliance.
With GDPR, data is not only one of the enterprise's most important assets but it could become one of its largest risk exposures with fines exceeding the $1 billion payouts for violations that have already occurred under existing laws.
Data needs to be proactively protected in transit, in use, and at rest and it must be tagged and tracked at all times – no matter where the data is stored. Small business owners and IT executives are expected to have complied by now but studies show that that is far from the case.
There remains work to do for most firms and what is most troubling is that enterprises have a poor track record of knowing how many copies of data and databases exist and where they are.
The shift to a digital economy is turning the corporate paradigm upside down – with the focus being on the customer first rather than company product and service offerings.
GDPR is just one link in the chain forcing businesses to rethink their business models – think Facebook and all the hearings its CEO is being asked to present at – and how they meet customer desires and requirements. So while GDPR applies to EU citizens, enterprises should plan on it becoming a global directive as other nations may adopt similar regulations.
Audit, small business owners, IT, legal, and risk executives should ensure they understand and comply with the terms of GDPR as relates to individual rights and governance of personal data.
Small business owners and IT executives should build a transition roadmap that addresses their business model, business partner, service provider and internal communications, as well as culture, governance, processes, and security both on-premise and across all of their business partner and cloud ecosystems.
Additional relevant research and consulting services are available. Interested readers should contact Client Services to arrange further discussion or interview with Mr. Cal Braunstein, CEO and Executive Director of Research.
About the author
Mr. Braunstein serves as Chairman/CEO and Executive Director of Research at the Robert Frances Group (RFG). In addition to his corporate role, he helps his clients wrestle with a range of business, management, regulatory, and technology issues.
He has deep and broad experience in business strategy management, business process management, enterprise systems architecture, financing, mission-critical systems, project and portfolio management, procurement, risk management, sustainability, and vendor management. Cal also chaired a Business Operational Risk Council whose membership consisted of a number of top global financial institutions.