Primer on General Data Protection Regulation
By Sachin Chheda, Senior Director of Global Accounts and Industry Marketing
The European Union (EU) is putting a framework in place to protect the personal data of its citizens. The General Data Protection Regulation (GDPR) is intended to help strengthen and unify data protection for all individuals within the EU. This regulation was adopted in April of 2016 and will be enforceable starting May 25, 2018. This directive is a positive step for individuals residing in the EU, giving them more control over their personal data, including sensitive personal data and unique identifiers, genetic and biometric data, and pseudonymous data.
GDPR is expected to change the way all companies do business, as it is not only applicable for companies based in the EU, but can also apply to those companies outside of the European Union that work with or otherwise handle data belonging to EU residents and individuals.
One way to view this new regulation is to see it as an opportunity to embrace new processes and technologies to effectively handle the mountains of personal data in today’s information-rich business environment. Unfortunately, many organizations are still not compliant for GDPR, even though they felt they were ready. In a July 2017 study, Nutanix partner Veritas found that one third of those surveyed stated that their “enterprise already conforms to the legislation’s key requirements,” but further inspection revealed that only two percent appeared to be in compliance.
GDPR includes stringent requirements for identifying and reporting data breaches within stipulated time frames. This will allow EU residents to exercise their “right to be forgotten”, by ensuring not only data controllers but also data processors are compliant. The fact that these requirements are coupled with severe fines (the greater of €20M or 4% of global revenue) for non-compliance, has many organizations and businesses on edge.
Here are a few recommended steps that businesses can take now to prepare for GDPR compliance:
- Educate and involve everyone. All business teams, from finance to IT to HR to business units, must be educated and involved in building and implementing the GDPR compliance plan. This should typically start with the right sponsorship from the executive levels on down, with clear communication on how it will not only change processes and vendors, but also impact the business on non-compliance. Many Nutanix System Integrator partners have well-regarded consulting practices aimed at helping companies educate and involve their employees in GDPR compliance exercises.
- Audit data sources and usage. Access and understand all data sources across the entire company, including marketing, CRM, ERP systems, HR and recruiting databases, and more. The intent is to understand where personal data could be stored or used within the company. Automation of auditing and cataloging processes is key, given the sheer amount of personal data in businesses today covering prospects, customers, employees, vendors, and more. Also, understand where the data is being used, not only within the company, but also with data processors (e.g., external service providers providing services based on personal data). Nutanix partners offer a wide range of tools that can help with the auditing of diverse data sources.
- Create a Clear Plan. Internalize the GDPR requirements and come up with a clear plan for compliance for the different parts of the directive across all data sources—including security and access controls, de-identification and ‘pseudonymization’ of personal data, and more—to achieve privacy and data protection by default. Work with auditors and integration partners to identify blind spots in troublesome areas, such as identifying breaches or reporting early, and develop plans to address them or put processes in place to handle “right to be forgotten”’ requests. A number of Nutanix system integrator partners and auditors have well-developed practices intended to help businesses audit and plan for compliance.
- Document and govern. After auditing, planning, and implementing measures across the entire organization to meet GDPR, establish a best practice to document sources, end-to-end usage, security/access controls, and the corresponding rules. Establish governance processes to define roles and categories and educate/train employees. Lastly, perform and document regular checks and drills similar to those conducted for disaster recovery for compliance. This should not only involve the internal processes, but also external data processors and vendors. In any case, don’t assume common knowledge of compliance; demand proof of compliance because businesses (i.e., data controllers) can be held liable for their vendor’s issues.
- Embrace the change. Rather than thinking of GDPR as just the “cost of doing business”, embrace the directive to revamp how internal IT and business applications and processes are set up. Investigate ways to leverage pseudonymization, masking/anonymization with big data and cloud-native applications, stronger integrated encryption, enhanced next-generation intrusion detection, process/data visualization, and enhanced consent processes as a part of your GDPR plans. Be sure to seek out cloud services and data processing vendors that are not only GDPR-compliant, but also provide your business with a distinct advantage. Also, consider whether organizational changes may be needed, including staffing of not only a data protection officer, but also a Chief Information and Security Officer (CISO) to cover security and compliance as a whole. Also, strongly consider assigning executive ownership of GDPR with regular reporting to showcase compliance to customers, prospects, board members, and employees.
With the enforcement of the GDPR directive less than a year away, the time for businesses to act is now. With the right partners, businesses across all industries doing business in EU can drive action to not only meet compliance, but also lower risk, improve productivity, and drive greater engagement with customers and employees.
Links for additional information:
- Protection of personal data [Official Site]
- “GDPR: Getting Ready for the New EU General Data Protection Regulation [InfoLawGroup LLP]”
- “Guidelines on Data Protection Officers“
- “Guidelines on the right to data portability“
- “Privacy and Data Protection by Design — ENISA”
- Veritas Study: Organizations Worldwide Mistakenly Believe They Are GDPR Compliant“
This blog contains links to external websites that are not part of Nutanix.com. Nutanix does not control these sites and disclaims all responsibility for the content or accuracy of any external site. Our decision to link to an external site should not be considered an endorsement of any content on such site.
© 2017 Nutanix, Inc. All rights reserved. Nutanix, the Enterprise Cloud Platform, and the Nutanix logo are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other brand names mentioned herein are for identification purposes only and may be the trademarks of their respective holder(s).