A little more than a year after the inception of the General Data Protection Regulation (GDPR), it’s a good time to assess the overall impact of the regulation and where companies are in terms of compliance. For many enterprises, the situation is not very encouraging.
A DLA Piper1 report states that approximately 50,000 investigations began in the first eight months after GDPR implementation. Many investigations are ongoing, and more penalties are likely to follow.
GDPR Compliance: The Current State of Affairs
In the first year post-GDPR, many companies took initial steps towards developing a compliance strategy, but most didn’t go much further. The general belief was that regulators would initially be lenient, giving companies a fair chance to comply. Now that the grace period is over, the first of the big post-GDPR fines have hit.
The Nature of GDPR Challenges, One Year In
The data breaches that regularly appear in the news—and the knowledge that more new privacy and data security regulations are coming—have conspired to increase the sense of urgency across the business world. Data protection has become a top corporate priority, and the time for future-proofing against regulatory change and breaches is now.
Unfortunately, most organizations are still struggling to achieve GDPR compliance. They simply don’t know what data they have, and because much of it lives in unstructured formats (such as Word docs, images, and emails) that can’t be readily searched, they also don’t know where their data resides—let alone how to protect it.
This creates two specific GDPR compliance issues: GDPR Article 17, the right to be forgotten, requires that a company be able to delete all instances of a customer’s PII (except for those needed for business purposes) upon request. Compliance is only possible if the organization is able to locate each and every piece of data—even if it’s unstructured.
If a customer takes their business to another company, article 20 kicks in, giving them the right to request that all their PII be migrated to the new organization. If the data can’t be found, it can’t be moved. In order for enterprises to become GDPR compliant, they must first achieve data transparency.
How to Achieve GDPR Compliance
To achieve the data transparency required to comply with GDPR and other emerging regulations, an organization must implement an automated solution that allows them to:
- Identify, analyze, and address data-related business risks.
- Discover and safeguard data across all repositories and fileshares—regardless of format, geography, and volume.
- Assess identified risks and flagged content assets to determine overall business impact.
- Gain a unified view of the entirety of your data, enabling your organization to mitigate risk and garner meaningful insights.
More than a year after the arrival of GDPR, many companies are still not compliant—and the investigations and fines are kicking in. The answer begins with setting the right data-governance strategy and deploying an automated data-enrichment solution that allows your organization to discover, classify, analyze, and protect (redact or remediate) sensitive data across multiple lines of business. Not only will this reduce PII risk, but it will also send a clear message to customers that your company takes data security seriously—building trust at a time when anxiety about personal data is high.
1DLA Piper: Over 59,000 personal data breaches reported across Europe since introduction of GDPR, according to DLA Piper survey
2Digital Guardian: Google Fined $57M by Data Protection Watchdog Over GDPR Violations
3BBC News: British Airways faces record £183m fine for data breach
About the Author
As a senior executive, Scott has spent the last 20 years building Adlib into the thriving organization it is today. Scott has held customer-focused leadership roles spanning success, professional services, marketing, and support. He is passionate about business growth, the human impact of technology, and the pursuit of an ideal customer experience measured in the customers’ terms.