Just as soon as the deadline for GDPR was looming over enterprises, they swiftly took steps to prepare for the new regulation. If you are not yet completely aware of what GDPR espouses, then you should read all about it here. GDPR is a ground-breaking, forward-looking, user-friendly regulation that will transform data privacy domain in Europe.
One of the critical changes in the new regulation is the penalties on violation – 4% of the turnover or EUR 20 million (whichever is greater)! This clearly demonstrates the seriousness of the regulation, and why enterprises need to be cognizant of it.
A critical aspect of your preparation for GDPR compliance is creating the right toolset to discover and catalog all the personal information that is being stored in your enterprise. This catalog, in turn, will assist you with compliance to “Right to Access”, “Right to be Forgotten”, and “Data Portability” requirements of the regulation.
Obvious targets in building such a catalog are the structured data sources of your enterprise. These include your ERP, CRM or your IT systems. With data from these systems feeding into upstream analytics engines, this data is well-understood and is easily discovered. An obvious strategy to make your IT systems GDPR-compliant is to leverage this data and build ability for “Right to Access”, “Right to be Forgotten”, and “Data Portability”. Many of your structured data sources will have convenient methods for access to and erasure of PII stored in there. Large initiatives can be spun-off to achieve these objectives involving structured data.
However, amidst this chaos, it is imperative that PII stored in unstructured data sources does not get ignored. An IDC report indicates that 80% of enterprise data is unstructured.
Documents residing in your enterprise content management (ECM) systems, file shares, email attachments etc. can have significant PII information stored in there. A bigger challenge here is that your enterprise may not even be aware of this information.
It’s also crucial to note that GDPR emphasizes “data subject”, and doesn’t differentiate between employees or customers. Hence, this regulation is equally applicable to all types of users.
When there are requests made to access personal information, an inability to provide information stored in documents can be perceived as a violation of the regulation, and you might be liable for the penalties, despite measures and efforts put towards making your systems GDPR-compliant.
Do not ignore this Achilles’ heel – it can cost you a fortune!