Hilton, one of the best-known hotel chains in the world, just got a fine of 700,000 US dollars for a data breach. If you think this is bad, keep in mind that as of next spring, the fine could have been more than 400 million. The same could happen to your company, very soon.
The way businesses around the world deal with customer data is headed for a seismic shift as the May 2018 compliance deadline for EU’s General Data Protection Regulation (GDPR) approaches. Yet many North American companies still don’t fully understand their GDPR obligations, or how non-compliance could deal a blow to their bottom lines.
GDPR will change the way business is done like nothing companies here have ever dealt with before. It’s the first time such a massive regulation reaches beyond the borders of the EU, which why it’s hard get your head around it.
The sweeping regulation effectively gives EU residents ownership of all of their personal data held by companies or other institutions no matter where the data or the institutions are located. In addition to setting obligations for securing the data and handling breaches, GDPR gives the owners control over their data including rights to access, data portability and the right to be forgotten.
GDPR sets limits on how you collect data
This adds a new layer of complexity that both the owner of the data and the companies themselves have not yet considered. This puts a lot of pressure on companies that have EU residents as clients.
It also limits the kinds of personal data that can be collected or held without a specific opt-in, so a lot of companies will be forced to undergo a data houseclean and fundamentally re-think their business strategies.
The penalties for ignoring the regulation are staggering, with fines reaching 20 million euros or 4 percent of the company’s annual worldwide turnover. Even if there were holdups in enforcing the regulation in US and Canadian courts, EU officials could simply cut off a company’s access to the European market.
Companies are going to have to comply with GDPR one way or another, whether that means deleting all personal data on EU residents and making sure they don’t collect any more or reorganizing their systems so the data is stored and handled properly. Even Canada’s relatively strict PIPEDA law doesn’t stretch as far as the European regulation.
Do you know what data you have and where?
But one big problem for many companies is where the data is stored. Either in legacy systems that haven’t been updated in years, in systems that are acquired through mergers and acquisitions that aren’t compatible with the existing system or with system integrators (human resources) that are no longer with the company that have not passed the historical data along to their replacements. On top of that, there’s data that are not in the servers, but stored on laptops, desktops or removable hard drives. When you put all these things together, it can be next to impossible to have a clear picture of what personal data they’re holding.
To tackle that problem, Nortal has developed DeepScan, a data management tool designed specifically to aid in GDPR compliance. As the name implies, DeepScan combs through an organization’s entire data system, checking every file to identify personal information and map out where it’s stored. It gives IT teams and legal departments a holistic understanding of what data they have.
With that inventory in hand, companies can reorganize their data in a way that meets regulations, and plug holes in their data collection methods that might cause problems in the future.
GDPR compliance certainly isn’t an issue that managers can simply brush off onto their IT or legal departments. It effects business processes and carries serious risks, both of which can impact the company’s bottom line. Top management, as well as both IT and legal, need to be involved in the effort.
As with tackling any challenge, the first step in handling GDPR is realizing it has to be done. DeepScan is an excellent second step.
Read more about how to turn your GDPR compliance costs into an investment.
