Avoiding the Challenges to Ensure Compliance
Many companies aren’t ready for the looming GDPR deadline, and they face real hurdles in getting to “compliant.” FileFacets, an enterprise analytics and privacy compliance platform that makes it easy for businesses to locate, process, and move unstructured content, offers a solution to these challenges. Today we present a guide to confronting three key difficulties companies face on the path to compliance, courtesy of Chris Perram, FileFacets’ CEO.
No one likes to be forgotten. However, when it comes to personal data, most would happily have their names wiped from the books. And by May 2018, EU citizens will be eligible to do exactly this. Every company with customers in the EU must adhere to a client’s right to be forgotten – to get rid of their data, if they so choose.
The mandate is part of the EU’s General Data Protection Regulation (GDPR), which was created to put more pressure on companies to protect citizen data. It also ensures citizens maintain the right to know where their information is stored and the ability to reuse personal data for their own purposes across various domains.
What about the companies that fail to meet the requirements? They could effectively be put out of business. Those that are noncompliant can be fined 2 to 4 percent of their annual global revenue – or €20 million, depending on which is the highest value.
The trouble is, many companies aren’t ready for what’s coming. Look to the marketing industry for example, where one-quarter of companies have yet to start preparations. Considering 48 percent of U.K. consumers plan to wield their new rights over personal data, there’s a growing sense of urgency for businesses to get this right.
It’s a legal and compliance challenge most companies have never seen. Here are three difficulties companies might face, and how to overcome them:
#1: Your company’s doing a terrible job at tracking its own data (and you probably don’t know it)
Companies do a shocking job of organizing their own data, and your company could be one of them. According to a 2016 Global Databerg Report, 52 percent of all data stored by organizations globally is “dark” data, meaning its value is unknown. Additionally, 33 percent of data is considered “redundant.”
This means that if a client wants access to their information or demands it be erased, more than half of companies might not know where to look for it. Consider that €20 million fine, and it’s a pretty terrifying thought.
Personal data is found in nearly every piece of IT. With many companies engaging in a data-hoarding culture, it’s more important than ever to organize their systems and align with GDPR requirements. While it all seems a bit daunting, there are a few online analysis tools on the market to show how many of your files are redundant, or trivial – including TAMR, Nymity and our own product, FileFacets.
#2: Managing the right to be forgotten
Many companies assume that the right to be forgotten involves simply eliminating all of a customer’s data from records. However, it’s not so black and white, and it’s certainly not as easy as hitting the delete key. The GDPR is more selective, and many consumers will likely want specific parts of their personnel to be forgotten, while enabling other data to be freely and actively shared. One area they may want to be excluded from, for example, is having their data collected in automated decision-making.
Article 22 of the regulation states that individuals “shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”
So, say your company uses marketing automation platforms like Pardot or Marketo, which leverages AI to put customers in a campaign based on their activities or responses. Under GDPR, customers have the right to opt out of these processes.
For companies, there are ways around this. Firstly, take stock of the AI-powered programs you are using to see whether you can change someone’s condition in the platform so they aren’t included in these automated lists. Secondly, structure your AI platform in a way to track the reasoning of the decision. If you can prove someone’s entry point, what they agreed to and when they agreed to it, you can demonstrate you’re not overstepping the agreement the user entered into.
#3: Security breaches can now become company killing
In May 2017, India’s largest restaurant and food delivery app Zomato was hacked. Seventeen million customers had their email addresses and passwords stolen, which for a while, were up for sale on the dark web. It was all because one developer had his login credentials compromised.
And while Zomato’s reputation may have been a bit tarnished, the company did still continue to scale – in fact, it announced in August that it had reached 3 million monthly orders for the first time ever.
But imagine this had happened in May 2018, when the GDPR is set to go into effect. Assuming Zomato had European customers, the app would have been fined millions of Euros for the big slip-up. That’s enough to make many companies go under.
For organizations to comply with the GDPR, it’s imperative to enforce strict access controls and carefully track access to data. A company can start by consolidating all privileged accounts and putting them in a centralized vault – one example of a solution is Zoho, which keeps company passwords secure in one place. The Zomato breach began when the hacker got access to one developer’s GitHub account; if his or her unique password was locked away in a vault, one could argue the story would have turned out differently.
The new GDPR is causing plenty of CEOs or founders to shift uncomfortably in their seats. However, if you act fast, it’s not too late to get your data and security organized. These are just a few ideas, but getting started on them will get your company on the right path – and open it up to more processes and ideas to make all your systems secure.