The General Data Protection Regulation (GDPR) went into effect on May 25, harmonizing data protection laws across the European Union (EU) via a new set of rules intended to ensure that the personal data of citizens is protected and available upon their request. While some companies have been preparing ahead of the GDPR go-live date for some time now, many others are still scrambling to ensure they’re ready for the compliance requirements.

At its core, GDPR has been introduced to strengthen the rights of EU citizens to better control how their personal data is stored and managed by organizations. Consent for companies to use personal data will have to be freely and explicitly given by that person, and organizations need to ensure records are maintained to demonstrate that they have permission to use that data.

If you think GDPR doesn’t apply to your organization because it’s not based in the EU, think again. GDPR compliance is required for any organization that collects or processes the personal data of any EU resident – regardless of whether the organization is based within or outside of the EU. The financial penalties for those who do not adequately prepare are high: failure to comply with GDPR can lead to fines of up to $24 million or 4 percent of annual worldwide turnover.

How ready for GDPR is your company? If any of the following apply, your organization could be at risk for GDPR fines.

You don’t know where personal data resides

It can be difficult for organizations to know where to start with their GDPR compliance projects. The best first step is to conduct an audit to identify where personal data resides within all of your organization’s systems and data repositories. The goal is to establish effective GDPR procedures so you reliably know where this data is and who has access to it.

You think of GDPR as just another data management challenge

Most organizations store personal data in multiple repositories and systems, but lack an easy and straightforward way to search, access, and secure information across these repositories and systems. That’s fundamentally problematic in terms of quickly and easily locating, managing and securing this data. It’s even more concerning in a critical, often-overlooked area of GDPR compliance: your customers’ access rights to the information you hold about them – otherwise known as Subject Access Requests (SARs).

When an EU citizen makes a SAR, companies will have 30 days to collate all of their data and deliver this information to that individual. Answering these requests is going to be very difficult if the information systems within an organization are not connected in a coherent and manageable way. Given the likely spike in SARs with GDPR in effect, having a system in place to process these requests must be a top priority for companies that will otherwise risk substantial financial penalties as well as public backlash.

You expect a single “silver bullet” solution

Many vendors promise “GDPR compliance,” but such claims miss a fundamental reality: no one solution can ensure GDPR compliance. For one thing, GDPR is not something you “solve” – it’s a series of best practices and processes to manage personal information better. Moreover, no single solution caters to all those aspects now. Even if it did, it could not guarantee GDPR compliance.

Leading up to GDPR’s “go live” date, the majority of time and effort has focused on security – beefing up firewalls, ensuring the right people have access to the information, etc. That’s a critical puzzle piece, but ultimately businesses will need a multi-tiered, multi-pronged approach for addressing GDPR requirements.

A core challenge for many organizations is the inability to connect the systems that store customer data in an effective and meaningful way, and this will only become more difficult as the volume and variety of data organizations must manage continues to increase. Modern Content Service Platforms (CSPs) that can integrate with existing systems and serve as a central hub for managing personal data can provide a consistent and accessible view of all of the information within the business. In addition, next-generation CSPS can also manage the facilitation of SARs – processing requests and delivering the results to individuals.

Organizations that do, will inevitably find themselves better equipped to avoid the pitfalls of GDPR non-compliance.

David Jones
David Jones

is an established thought leader and speaker within the information management space and can regularly be seen and heard at related events, webinars and forums globally. He is Director of Product Marketing at Nuxeo, a leader in modern enterprise content services platform solutions. He is responsible for driving forward all aspects of marketing the Nuxeo content services platform globally. He has worked with technologies, such as analytics, cloud and electronic content management, in a wide range of vertical industries for over 20 years, and has occupied roles with AIIM and Hyland, respectively.