“At this point, companies are often unaware of the data they are holding in the first place,” said Lauri Ilison, head of Big Data and Machine Learning at Nortal told Estonian daily business paper Äripäev. “CIOs may have an overview of their information systems, but often they cannot say what kind of data is stored or which pieces can be traced to specific people. They’ve never looked at information systems that way.” According to Ilison, the situation is dire because the EU’s new General Data Protection Regulation (GDPR) will bring about a complete overhaul of data management for businesses.
Many have still not yet thought about the issue and, according to research by Gartner, half of all companies will be unable to obey the new rules by the end of next year. Under the GDPR, this may lead to hefty fines: up to 20 million euros or 4% of a company’s global turnover. Although Estonia is allowed to establish its own range of sanctions, these must be as effective as the 20 million euro or 4% of revenue benchmark set out in the regulation.
“To date, many have considered the data gathered from customers to be a business asset, but as of May 25th next year, it will be a lot easier for the customers themselves to claim ownership of the data they have provided to, for example, a company or organization,” notes Ilison and explains that every person shall have the right to inquire about the data gathered about themselves. “If a person comes and demands that all of their data is erased, how will a company even know what data it has on the person? A huge challenge indeed!” Ilison urges managers to address the issue urgently as it will take time to prepare an overview of all the data.
This is notably important for large undertakings with a long history who have developed a number of different information systems throughout the years. Even if the nature and location of the data is known, it is now necessary to put in place the technical capabilities for deleting the data, as needed, while avoiding a crash of the information systems.
Ilison also recommends considering the GDPR requirement for updating legacy IT systems that are long out of active development. “If one should begin planning these updates six months from now, it will be rushed, which could potentially result in major errors,” he says as a reminder to all managers. “What each manager should ask today is, do we have an action plan for bringing our company into compliance with the GDPR? Do we know what to do? In what order? What are the implications of GDPR for our company?”
Don’t miss out
On May 16th at the Radisson Blue Hotel Olümpia, GDPR experts from Nortal and Triniti Law Firm will take part in a seminar to discuss bringing business processes and supporting IT systems into compliance with the new Data Protection Regulation. Participants will receive an overview of how managers should approach the GDPR and a step-by-step tutorial of the measures needed to achieve technical preparedness. Working language of the seminar will be Estonian.
You can read more about how Nortal can help businesses to achieve compliance with GDPR here.