Having almost slipped under the radar, the “First UK enforcement action under GDPR and the new Data Protection Act” has started the ball rolling on GDPR policy enforcement, following the May 25th deadline for compliance. Anyone who thought this might just go away, slipping silently into the night, will now see the “baby teeth” starting to emerge on how much bite is possible. Will it be the incisors of massive financial penalties erupting first? Or perhaps the molars of public embarrassment that cause stock prices to drop. Will the canines of costly remediation soon follow? We will soon find out! A few key takeaways from the article:
- It only took about 2 months to see the first formal enforcement, hardly any sleep lost since May 25th
- It was served on an entity outside the UK deemed non-compliant—this isn’t just an EU problem, and
- The definition for violation is broad…a wake-up call to the low, liberal threshold of risk vulnerability.
Get ready, it’s here!
It’s important to look at GDPR compliance as a journey, rather than simply a one-time reaction. The first legal actions will not be the last, so a long-term defense requires a systematic approach to data discovery, privacy protection, policy audit and attestation of controls in place.
Regardless of your current compliance state, the hassle of even potentially being in violation and the need to respond will be no picnic if unprepared, which forces EU and global businesses alike to audit their privacy policies and security posture. If you haven’t gone through a data privacy risk assessment, that is a critical starting point to discover what sensitive information may be subject to abuse or loss under GDPR. While it may be interesting to watch how UK jurisdiction for enforcement plays out and how privacy violations are proven, this is only a first step of many. Expect the scrutiny and inquiries to be ongoing. You will need a reliable, repeatable, programmatic approach, and not just a one-off process, in order to ensure ongoing compliance.
And, while there are expert consultants and vendors who can help you start on your compliance goals with a first phase of risk assessment, it’s important to be able to take the first steps, while completing the journey to its end. I often speak to IT leaders who claim, “I need to protect my critical data, but I don’t know where to begin!”. And this is not an uncommon scenario with the explosion of sensitive data types across a global enterprise.
So what does an organization do to achieve a systematic approach to GDPR compliance?
Avoid single-point solutions and quick fixes that leave you hanging
In the old days, a name, address and credit card were prime targets for a security breach; but today, any number of personal attributes, including geo locations, drug prescriptions, and vehicle VIN numbers can be deemed sensitive when they reveal attributes about a person’s identity. Some organizations will naturally be caught off guard, not realizing how the landscape is constantly changing, more data at risk, more vulnerabilities to exploit. There’s a lot to consider and every business is different! Are you in an industry collecting personal data off of IoT devices such as cell phones? Getting personal data off thousands of web forms? And feeding this all into a massive data lake, vulnerable to a breach? If so, you need to consider a holistic approach to discovering risk, enforcing privacy controls globally, auditing compliance, and responding to inquiries. Continuously.
It’s important to not only get ahead of the curve by understanding risks, but to also have a path forward once you’ve completed a risk assessment. Understanding your risks but not being able to respond is essentially ineffective, as you will need to address each aspect of GDPR compliance. Micro Focus maps its products and technologies to GDPR to create an end-to-end solution that is repeatable when evolution in policy and its enforcement require adjustment, or new mandates emerge. Look beyond single point silo solutions and address the problem globally, as GDPR is just the first of many new privacy mandates to come.
By addressing compliance end-to-end, Micro Focus combines the best of its products, and in many cases, offers composite solutions that bring together multiple controls for greater global efficiency—such as data discovery analytics and format-preserving encryption with Micro Focus Data Privacy Manager. But no matter what phase or use case you’re ready to address, there are information management and governance, and security, products and solutions to support your journey, avoiding gaps in controls that cause false confidence and fail to lower risk.
You didn’t bring the rain, but a comprehensive umbrella enables you to function without getting wet
GDPR will not be the last privacy mandate and the potential for heavy-handed enforcement is just the beginning. And while there may be more privacy challenges coming, having reliable controls in place enables you to handle data, applications and users responsibly to lower risk exposure to potential violations. And that’s good for business!
Opening up more data to more trusted applications without risks allows for value creation in ways we haven’t seen before. Analyzing massive data lakes to understand customer buying preferences or to offer new services, or optimizing business processes along the information value chain—from creation to archiving—in order to support safe growth. Making data available to limited applications and users, without disclosing it unintentionally in ways not authorized by your customers, builds trust and repeat business. While GDPR may be a wake-up call to information governance and security best practices, it’s also an opportunity for those businesses looking ahead to use privacy as a catalyst for future success. Get started and get ahead of the competition!
When ready to have a conversation, contact Micro Focus and start on your GDPR compliance journey.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.