In his Keynote at the 6th Confare Swiss CIO SUMMIT Ian Wood, Head of Information Protection Solutions and Product Marketing at Veritas Technologies talks about the costs and the return of being compliant to the new data privacy regulations. In our blog interview he tells us about the impacts of GDPR on enterprise IT and where to start as a CIO to guarantee compliance.
How does cloud, digital change and all the new technological trends change the way enterprises handle data privacy and IT compliance?
Digital Transformation is at the centre of almost every business strategy as organizations look to capture new opportunities in the new digital economy. I see organizations searching for new ways in which they can rapidly turn data into information that provides unique insights and competitive advantages. This includes the rapid adoption of cloud, but not one cloud solution but many cloud solutions from multiple providers and adoption of new architectures and technology to speed things up. However, harnessing the power of information is not easy. Data is growing like crazy, distributed across many systems and clouds and new architectures are being deployed leaving a massive skills shortage in the news systems.
The bottom line is that most favour speed and experimentation to get value over security and compliance and data protection falls victim to relaxed oversight. Last year, the number of data breaches jumped 40%. Now more than ever, personal data is at risk of being lost or stolen. But this is set to change with the inclusion of GDPR (General Data Protection Regulations) where substantial penalties and fines will be implemented. Organizations will need to get GDPR ready or face the severe consequences. We have a big challenge in front of us as in a recent survey from Veritas we identified that 54% of organizations have not started preparing for GDPR. I see a big shift to managing and governing information over simply adopting new technologies.
What are the 4 most important impacts of the GPDR on enterprise IT?
There are 4 key mandates defined by the regulation that will require comprehensive reform and prompt action.
- Accountability and Governance
Organizations will need to maintain relevant documentation on data processing activities and implement measures that demonstrate compliance
- Storing information
Personal data may not be kept for longer than is necessary for the purpose of which it’s processed.
- Breach Notification
A notifiable breach has to reported to the relevant supervisory authority within 72 hours of the organization becoming aware of it.
- Individual Rights
An individual may request the deletion or removal of personal data where there is no compelling reasons for its continued existence. This will drive a need for visibility on all that data.
What are the decisive steps for the CIO to guarantee compliance to the GPDR?
This will be an ongoing exercise for all organizations to remain compliant but to get moving quickly. I always recommend to any CIO to ensure they have a clear view on what their maturity is to govern information to meet the newer regulations and then build a plan. Connecting with Legal, the business and obviously IT is an important piece to the plan, this is not done in isolation but collectively.
The second area is to ensure organizations have visibility to all your data both structured and unstructured, although the unstructured is causing most of the concern. You cannot manage what you cannot see. Once you have visibility minimize the storing of information you can take action and ensure you protect it against data loss effectively. I use data loss in both meanings of the term, data getting corrupted or deleted and data leaking out of your organization.
Most individuals and organizations are “data hoarders” they keep everything forever and this is risky and costly. Change this behaviour and ensure data is treated with the right level of respect, this takes a culture change.
What will be the costs of compliance? Is there a way to use GPDR compliance to create a significant positive effect?
The direct costs of not being compliant are becoming clearer with newer regulations. The regulators can fine organizations 20 Million Euros or up to 4% of your annual turnover, whichever is great. This is Significant! But there is also a positive outcome when organizations address information governance, outside of benefits to all individual organizations can save a lot of cost, for example why store all that data. On average 30% is redundant, old or trivial, delete it. Additionally, visibility helps identify the areas of valuable versus non-valuable data.