3 Hidden Values of Preparing Early for GDPR

Information Insight, Executive Alignment and Lower Costs

GDPR is rapidly approaching, and companies should begin to prepare for May 2018, when the regulations go into effect. Companies can actually benefit from early preparation to comply with GDPR—the benefits of which range from a competitive advantage through greater insight into data to greater alignment between business units and lower total costs. HPE’s Joe Garber explores three key benefits of preparing now for GDPR.

Early preparation for compliance with the European Union General Data Protection Regulation (GDPR) can deliver a wide range of benefits to organizations. These can range from securing a competitive advantage through greater insight into data to greater alignment between sometimes-competing business units to lower total costs.

At the core of GDPR – which becomes effective in May of 2018 – is the question of how organizations collect, manage and protect EU citizens’ and residents’ personal data.  Organizations are paying closer attention to GDPR than previous regulations of its kind because of the significant risks of noncompliance.  The most serious infractions, including not respecting the individual rights of data subjects, incur substantial fines (of the greater of 4 percent of global revenue or €20 million).  On top of this, there are also risks of legal action and lost customer confidence.

To gauge where your organization stands regarding its GDPR readiness, it is important that you understand what data exists within your enterprise, where it resides, if it is personal data, its relative value to the organization and the technology that supports its maintenance. More specifically, here are five questions that should be addressed when assessing your enterprise’s GDPR readiness:

1. Where is the personal data stored that will fall under these regulations?
2. How can I protect, store and securely back up data?
3. How can I identity information for disposition, in accordance with the “right to be forgotten?”
4. Can I report a breach within the timeline required by the EU data protection regulations?
5. How can I reduce my overall risk profile?

While these questions are simply a starting point to begin the GDPR-readiness conversation, they are important in terms of understanding how your organization will be stronger as it prepares for compliance. Both information governance and security software will likely be needed to provide the framework for compliance. Information governance technology can help organizations discover where their information is stored (with the input of your privacy counsel) so they can determine what information should be managed to GDPR standards. This technology can also enable the user to establish and enforce policies, move data to a consolidated repository (if necessary) and manage this subset of information throughout its life cycle. As a byproduct, organizations will learn more about their data that can be used to help address an individual’s “right to be forgotten” request and those related to other individual rights guaranteed to data subjects under GDPR. Data security, working in conjunction with governance practices, can help secure content regardless of its location within the enterprise.

With the “how” now outlined, let’s take a closer look at the “why.”  In many conversations I’ve had with organizations preparing to comply with GDPR, there are a couple of key themes that come up regularly.  These organizations’ senior executives are looking to prepare for GDPR as soon as possible because they believe compliance will deliver a number of benefits that extend well beyond managing risk. They often discuss GDPR as a catalyst for doing what they should have been doing already to drive and manage the business with greater control. Here are the three most commonly highlighted incremental benefits:

3 Hidden Values of GDPR Readiness

Information insight is gained as stock is taken of the data that is held across the enterprise. Most organizations collect and maintain information with little understanding of that data and how it is relevant to business objectives. GDPR demands that organizations understand their data and the value it holds and adhere to specific guidelines for handling that data and respecting data subjects’ fundamental rights and freedoms. The insight gained may allow organizations to use information more effectively – as acceptable under GDPR – to ultimately learn more about their customers, identify underfunded parts of the business and perhaps even attain a competitive advantage.

Executive alignment is occurring as the fear of noncompliance and its associated risks are making individual business units work together.  The regulation of the magnitude of GDPR is no longer a CIO or CTO directive. Instead, it is a cross-executive concern for privacy, security, compliance, marketing, legal and C-suite executives. By spending more time working together to understand how best to comply, executives are finding more synergies in what they do and identifying how they can better share appropriate information to better streamline the business.

Lowering cost is the outlier of these three themes, as it’s the only one not focused on driving the top line for the organization. That said, it can be a significant benefit, and it may be the deciding factor on getting a GDPR project funded. Cost savings from GDPR projects can come in many forms. The most common is often savings derived from retiring applications and defensibly deleting information that no longer has value. By performing the discovery process, categorizing information by relative value and potentially moving information from a variety of data silos, organizations are significantly lowering total storage costs and retiring sometimes thousands of applications on which they are paying maintenance costs.  (Read this if you’d like to understand the specifics and how they can translate to a positive ROI in a relatively short period of time).  This exercise also can be a first step to a cloud migration strategy and can help protect you from security risks – as older applications are often the first cyber-attack target.

Organizations need to take a holistic approach when evaluating corporate data and aligning information governance policies with broader data security efforts.  Those who act quickly will be in a position to not only achieve compliance, but also improve their insight into existing data to enhance products, processes and service offerings.

Don’t get left behind.  Start preparing for GDPR now, and take advantage of all the hidden benefits as well.  To help you get started, HPE has recently developed a GDPR starter kit that bundles the technologies that perform many of the activities described above.  Click here to learn more.