The State of GDPR Compliance—Four Months after Inception

Posted 9 October 2018 1:00 PM by Scott Mackey

Unless this is the first tech-related blog post you’ve read in 2018 – and if it is, you can get up to speed here – you’ll know that Europe’s set of consumer privacy regulations, known as the General Data Protection Regulation (GDPR), went into effect on May 25, 2018. Now, four months later, it’s a good time to try and get a read on the current state of GDPR compliance. Not surprisingly, the news is not all that great for many companies.

GDPR compliance—where we’re at today

To judge the current status of enterprises’ ability to comply with GDPR, Talend conducted a study, publishing their results on September 17 of this year. To get what they needed, Talend made GDPR “Right of access by the data subject” and “Right to data portability” requests of 103 firms. They found that:

  • 70% of the companies in the study failed to address customer requests regarding their personal data within the one-month time limit set out in the regulations.
  • Digital born companies were most compliant, and their process for making and fulfilling the request was quickest and easiest for customers.

    The news was similar in a recent study by Datanami.

They found that:

  • $8 billion dollars in GDPR-related lawsuits have been brought since May.
  • The 14 largest companies in the world are not compliant—including Facebook, which, in the last few months, has lost about one million monthly active users.
  • In many companies, the assumption is that GDPR compliance should be handled by IT or marketing. Or the project gets assigned to a cross-functional group, leading to ineffective implementation due to poor communication.

What are the major GDPR compliance challenges?

Generally speaking, it seems that (recognizing we are only four months in) most enterprises are not yet fully GDPR compliant and are facing significant challenges in getting there.

Although it’s true that the magnitude of the GDPR compliance problem is so huge that regulators have so far been lenient in their treatment of non-compliant enterprises, it’s also true that at some point the regulations and set punishments will kick in—resulting in painful fines and negative publicity for those who still aren’t compliant.

And the problem is going to get worse for companies in all industries across the globe. GDPR is only the beginning of a trend towards increasing privacy regulation (e.g. The California Consumer Privacy Act of 2018) which will put even more pressure on companies to get their customer’s Personally Identifiable Information (PII) in order. Enterprises need to identify where they are on the compliance spectrum, what challenges they face, and how they can move quickly toward compliance. But, for many, the task will not be easy.

The research shows us that, in fact, large enterprises have no advantage over smaller firms when it comes to dealing with GDPR compliance. Furthermore, an organization’s age and size work against them. Legacy systems and huge volumes of unstructured data prevent these organizations from easily complying with privacy requests.

The most compliant businesses are, as one might expect, the more nimble, digital-born companies (primarily streaming services, mobile banking, and technology businesses) who don’t have inefficient legacy systems to deal with and have better data transparency and management abilities. 

And – although some companies have taken this step – simply encrypting all your data is not an adequate solution. While it may help in the case of a data breach, it doesn’t solve the problem of fulfilling a “Right to be forgotten” request, for instance. If you can’t find all of a customer’s PII you can’t delete it, whether it’s encrypted or not.

GDPR compliance is not an IT or marketing challenge, something that can be solved with a website overhaul or an email about the company’s revised privacy policy. In fact, one of the first effects that surfaced, post-GDPR inception, was that consumers were getting frustrated by the amount of email they were getting from companies scrambling to meet GDPR regulations.

GDPR compliance is dependent on your data.

It’s likely that, by now, most companies have already taken the first steps in ensuring GDPR compliance. They have created a compliance strategy, created a team to work on the issue, appointed the requisite Data Protection Officer and revised their privacy policies.

But one of the fundamental, and largely unaddressed, issues that prevents organizations from achieving GDPR compliance is their ability to locate and manipulate all of their data. Before anything can be done to manage PII, it must be found within the millions of files stored in different repositories across an organization. Some of that data will be born-digital and searchable, but the elephant in the room is the unstructured data that makes up 80% of a company’s total data that resides in emails, files and other documents. This “dark data” is what companies are struggling to deal with when it comes to achieving GDPR compliance. They can’t read the data contained in unstructured files like emails, unreadable PDFs, CAD files, paper, etc., and they can’t find PII scattered across fileshares, ECMs, and littering other dark corners of the company’s records.

The GDPR compliance process

Solving the unstructured data problem in order to achieve GDPR compliance requires that enterprises locate and remediate all of their data—and that, in turn, requires a robust file analytics solution. The process typically follows a few essential steps:

Perform a data audit

Before a company can begin to solve its PII problems it first needs to find out what data it has and where it is stored. This requires using file analytics to identify PII, convert assets containing PII into searchable formats, and extract insights from those documents. This audit will enable organizations to identify all their PII and evaluate whether that data is compliant with their policies.

De-duplicate

Data audits typically reveal large amounts of redundant data that has been created as files are copied for different business reasons across the organization. This data, often referred to as SORT (Sensitive, Obsolete, Redundant, Trivial), needs to be deleted in order to reduce the PII footprint and the effort required to manage it.

Remediate

Once the organization has minimized its PII footprint the next step is to redact, migrate, cordon, encrypt, or password-protect PII data that was flagged in the audit.

Maintain

To maintain PII compliance going forward the best approach is for enterprises to review and revise their policies continually and automate the file analytics process so that it can run audits and remediate on a daily basis.

Wrap Up

Although many companies are not yet GDPR compliant, and the regulatory grace period is likely closing, the goal of GDPR compliance is achievable. The solution begins with putting in place the right organization structure and compliance strategy, and then using file analytics to identify and clean unstructured data. Not only will the organization reduce its PII risk, it will gain an enhanced ability to leverage all of its data, both structured and unstructured, to obtain valuable business insights.

WEBINAR: Not Just Another GDPR Webinar

Most financial services organizations can’t prove what customer information was deleted, and from where, making the “Right to Be Forgotten” one of the hardest data subject rights to operationalize. Join this 30-minute web session to learn how to execute GDPR-driven procedures that are more sophisticated than simply finding and deleting personal information.

Tags: