GDPR is fast approaching – May 25, 2018. And the implications for big data are, well, big.
Essentially, GDPR is a regulation intended to strengthen and unify data protection for all individuals within the European Union, and it applies regardless of where the company is located. Whether you're located in the US or Thailand, if you do business with EU residents, you are subject to GDPR.
Penalties for non-compliance can be steep, and companies worldwide are scrambling.
The Impact of GDPR on Big Data
Here's some of the impact GDPR can have:
- Increased necessity for reviewing and modifying organizational processes, applications, and systems
- A need for new and more stringent privacy and security requirements to be addressed
- And even potential fines up to 4% of annual revenue turnover and legal costs and recourse
Have you done all you can to address GDPR?
What to Do About GDPR
Fully addressing GDPR compliance requires a coordinated strategy involving different organizational entities including legal, human resources, marketing, IT, and more.
You’ll want to implement the right technology with effective security controls to:
- Address regulatory requirements
- Reduce risk
- Improve competitive advantage by enabling increased flexibility and quicker time to market
- Enable digital transformations
GDPR will include key requirements that directly impact the way organizations implement IT security.
In particular, to protect and secure personal data it is necessary to:
- Know where the data resides (data inventory)
- Understand risk exposure (risk awareness)
- Review and where necessary, modify existing applications (application modification)
- Integrate security into IT architecture (architecture integration)
Unfortunately, it’s not really possible to just buy a GDPR-compliant product and call it done. Because GDPR is really more about security processes and managing risk, there isn’t truly a product that will solve all of your problems. What you’ll have to do is ensure that your solutions work together to be truly GDPR compliant.
This can get complicated. So here is Oracle’s solutions framework for addressing GDPR. We'll go through the four steps to GDPR compliance.
1. GDPR Discovery
The ability to monitor, enforce, and report on compliance to GDPR will be essential. You'll need clear insight into how data is coming into your organization, what happens to it, and how it leaves the organization.
For that, you’ll need data governance that provides capabilities such as data lineage, asset inventory, and data discovery. The more data is being reused without proper data governance, the greater the risk of data-handling mishaps. Choose your tools wisely to help with your data governance.
To learn more, download our free whitepaper, “Addressing GDPR Compliance Using Oracle Data Integration and Data Governance Solutions.”
2. GDPR Enrichment
You may need application modifications to comply with the rights of the data subject (people like you and me). This can be a major challenge, as all personal information can come in many different formats and types, and can be stored in various locations and held in different forms such as voice recordings and video.
In addition, because individuals can request all information about themselves, it must be possible to dynamically handle and automate a potentially large number of these requests—and delete the data, with GDPR’s “right to be forgotten.”
You might also need to consolidate customer data to get a single view of the data subjects across the organization. If an organization can’t identify all personal information that belongs to an individual, that would be an indication that they don’t have appropriate control over their personal information – which can be a red flag to regulators.
3. GDPR Foundation
You want good IT security with an emphasis on availability and performance of the services. That’s because you don’t know when your system will be tasked with pulling information, and how much at once. You’re also going to be responsible for the ability to restore the availability and access to personal data in a timely manner if there’s been a physical or technical incident.
Here's what you'll have to think about too: encryption will be more important than ever. Ensure you have detailed application-to-storage mapping so any application can be mapped to the physical storage it uses.
4. GDPR Enforcement
You’ll need technologies that can protect people, software, and systems. This includes products and services that provide predictive, preventive, detective and responsive security controls across database security, identity and access management, and much more.
It’s a common misperception that GDPR lists out specific technologies to be applied. But actually, it’s more that GDPR holds the controller and processor accountable, and requires that they consider the risks associated with the data they handle and adopt appropriate security controls.
For enforcement, here are the four groups that encompass the basic security measures that organizations should consider implementing.
Overall, GDPR addresses the key security tenets of confidentiality, integrity and availability of systems and data.
The Opportunities of GDPR for Big Data
So that’s a lot to do. But look at the positive. Some companies view this as a once-in-a-generation chance to truly take a look at their data management and transform it according to general best practices. Data volumes have exploded in the last ten years, and many are working with outdated architectures that haven’t been optimally built. This may be your chance to do something about it and with GDPR looming, it just might be easier to get executive support.
It’s also a chance to take a second look at your tools. GDPR requires higher and more robust reporting and auditing structures so your organization can respond to any Data Protection Authorities and individuals who may have questions. So if there’s any tool you’ve had your eye on previously, now’s your chance …
Future Proof Your Big Data Compliance
GDPR is not likely to be the only data regulation your organization will have to address. There are multiple laws out there, and the laws are going to change. These laws and regulations are going to be intended to protect citizens, the economy, government, and more. With data breaches and cyber security incidents on the rise, it’s likely this will continue to be an issue.
Consider future-proofing your data, and getting it right now to avoid more headaches (and potentially bigger headaches) in the future.
Consider the Cloud for GDPR
This might also be the perfect time to think about the cloud for your data. Your data is going to have to be:
- Be easily portable and removable
- Meet the data minimization principle
At the same time, you’re going to have to understand your internal controls, infrastructure and data architecture in addition to that of any external partners or service providers. The liability of new regulation is going to fall on all parties. This just might be easier if you switch to a cloud or hybrid solution. And it could lead to reducing costs and risks.
Don’t underestimate the length of time it will take to align with GDPR. Remember, it’s not that you should start on May 25 – that’s the date you’re supposed to be compliant. At Oracle, we’re committed to helping organizations with GDPR. Talk to us if you have any questions or would like to learn more about how we can help.
Source: Oracle Big Data Blog posts