Enterprise and consumer data sources are proliferating, and so are the regulations governing the proper uses for data and required levels of security, access, and privacy.
When the European Union (EU) General Data Protection Regulation (GDPR) was announced in 2016, organizations were given until May 25, 2018 to comply with the requirements for handling and protecting personally identifiable information (PII) of individuals within the EU, and respecting individuals’ rights to data privacy and use.
The GDPR is an EU-based regulation, but one of its eight principles is international protection of data transferred outside of the European Economic Area (EEA). PII can only compliantly leave the EEA if it is protected and processed adequately according to GDPR mandates.
GDPR is a principle-based regulation, which means it does not prescribe specific technical or organizational measures for the protection of personal data. Organizations must choose which compliance measures to take to satisfy GDPR regulations, regulators, and auditors.
There are fundamental GDPR requirements for data discovery and governance that apply across enterprise-wide data so long as it may contain PII or other personal data. In the leadup to GDPR enforcement, Aberdeen studied 209 organizations to assess their readiness for compliance with those fundamental GDPR requirements.
As it turned out, less than about 43% of those organizations had already implemented the required capabilities, though about 57% planned to. A closer look at the research reveals:
- Only 45% of organizations had implemented discovery / identification capabilities for enterprise data
- 41% of organizations had implemented capabilities to classify PII as such
- 44% had implemented data governance processes for PII protection
- 43% had security controls designed to protect PII confidentiality
- 39% had security controls and recovery capabilities to restore availability of and access to PII
- 39% of organizations had implemented security controls specifically designed to protect PII stored in the infrastructure of cloud service providers
Aberdeen recommends two first big steps to GDPR compliance: Know what / how much PII your organization has, where it is, and who can access it; and ensure people and processes make the right decisions about how PII should be controlled and processed.
Fifty-nine percent of organizations said they plan to establish the definitions, criteria, awareness, and training necessary for users to understand their roles in GDPR-compliant handling. Only 41% had done so already. Awareness and attitudes toward PII protection and access have perked up, but overall, organizational readiness has yet to catch up.
Other recent Aberdeen research has found a compelling case for organizations to mitigate their non-compliance risks by finding a third-party solution provider to manage their data and data-related processes.
The fines for GDPR violations range from up to €10M or 2% of total global annual revenue for the previous year (whichever is higher) to up to €20M or 4% of total global annual revenue for the previous year (whichever is higher), depending on the type of infraction.
Not only should organizations verify the GDPR compliance measures of any data providers, but they would do well to weigh the costs, complexity, and consequences of GDPR violations against an investment in a specialized security and privacy compliance partner with proven adherence to GDPR.