As EU citizens and residents gain more awareness around how their data is managed and processed, there is little doubt that the General Data Protection Regulation (GDPR) will have a huge impact on how global organisations collect, manage and store information.
Although built on existing data protection legislation, the GDPR changes the game for businesses because it intensifies the onus on them to proactively manage and protect personal data.
For example, one of the more striking changes under GDPR is the ‘right to be forgotten’ (RTBF), which can require companies to remove all information about a customer on request – and to notify their suppliers to do the same.
In addition, if companies are caught out by a breach, they need to be able to show the regulator that they have proactively taken steps to safeguard this personal data.
Yet, far from being feared, there are business drivers for compliance too, according to Dr Michael McGrath, chief strategist, information archiving and discovery at Micro Focus.
“Storing data that isn’t needed is an unnecessary cost for organisations,” he points out.
So, how can firms be more aware of the data they are collecting, and ensure that they are putting the appropriate safeguards in place for the future?
Assessing personal data under GDPR
Ahead of the compliance deadline of 25 May 2018, it is essential that businesses assess the personal data they collect and process. The first step to doing so is identifying the information that falls under the GDPR requirements and locating where this data sits across your technology stack.
Greg Clark, worldwide director, market strategy, Micro Focus Information Management and Governance Solutions, says this is all about improving your internal visibility into the data you are collecting: “You can’t protect what you don’t know, so the first step is a data assessment.”
As part of this, he advises: “Essentially understand the data landscape, where areas of concern are, prioritising projects in terms of risk. It’s important to have a roadmap: assess data and then apply actions, activities and projects around it.”
But firms should also take into account that there are two types of datasets: the structured data residing in spreadsheets, for example, and the unstructured data which can be anything from emails to social media messages.
These must all be assessed for potentially sensitive data, such as phone numbers, postcodes and dates of birth. It is not always a straight-forward process, especially when applied to unstructured data, as Dr McGrath points out.
In addition to this, firms also need to deal with legacy data, which some regulated industries such as healthcare must retain for a certain period of time. However, Dr McGrath advises that these organisations must get into the regular practice of evaluating what information they hold, or face the consequences.
“Where you are forced to retain data, don’t forget to delete it when the time is up, or you will be carrying a legal risk. The regulation is clear: you need consent and purpose to keep data.”
At the same time, the GDPR stipulates that the personal data you do retain must be protected. One way of securing information is by using Micro Focus’ SecureData product, which encrypts data without changing the format.
Indeed, Micro Focus’ technology can ensure this information is protected and that access is only provided to those who need it, says Clark. And this process doesn’t have to be complex: Micro Focus Data Privacy Manager integrates two industry-leading Micro Focus information governance and security products, Structured Data Manager and SecureData, to provide a comprehensive solution to address data privacy around sensitive structured data, while ensuring compliance by governing and protecting data throughout its life cycle.
The end result is businesses lower the risk of data breach and reduce the costs of compliance, while safely making data available to applications and processes.
To find out more on how you can manage your data, view the below on-demand webinars:
Identify: Data Privacy Assessment and Information Risk Where is the information and sensitive personal data that may fall under these regulations?
Act: Encryption How do I best ensure sensitive data is protected?