The General Data Protection Regulation (GDPR) went into effect on May 25, harmonizing data protection laws across the European Union (EU) via a new set of rules intended to ensure that the personal data of citizens is protected and available upon their request. While some companies have been preparing ahead of the GDPR go-live date for some time now, many others are still scrambling to ensure they’re ready for the compliance requirements.
At its core, GDPR has been introduced to strengthen the rights of EU citizens to better control how their personal data is stored and managed by organizations. Consent for companies to use personal data will have to be freely and explicitly given by that person, and organizations need to ensure records are maintained to demonstrate that they have permission to use that data.
If you think GDPR doesn’t apply to your organization because it’s not based in the EU, think again. GDPR compliance is required for any organization that collects or processes the personal data of any EU resident – regardless of whether the organization is based within or outside of the EU. The financial penalties for those who do not adequately prepare are high: failure to comply with GDPR can lead to fines of up to $24 million or 4 percent of annual worldwide turnover.
How ready for GDPR is your company? If any of the following apply, your organization could be at risk for GDPR fines.
You don’t know where personal data resides
It can be difficult for organizations to know where to start with their GDPR compliance projects. The best first step is to conduct an audit to identify where personal data resides within all of your organization’s systems and data repositories. The goal is to establish effective GDPR procedures so you reliably know where this data is and who has access to it.
You think of GDPR as just another data management challenge
Most organizations store personal data in multiple repositories and systems, but lack an easy and straightforward way to search, access, and secure information across these repositories and systems. That’s fundamentally problematic in terms of quickly and easily locating, managing and securing this data. It’s even more concerning in a critical, often-overlooked area of GDPR compliance: your customers’ access rights to the information you hold about them – otherwise known as Subject Access Requests (SARs).
When an EU citizen makes a SAR, companies will have 30 days to collate all of their data and deliver this information to that individual. Answering these requests is going to be very difficult if the information systems within an organization are not connected in a coherent and manageable way. Given the likely spike in SARs with GDPR in effect, having a system in place to process these requests must be a top priority for companies that will otherwise risk substantial financial penalties as well as public backlash.
You expect a single “silver bullet” solution
Many vendors promise “GDPR compliance,” but such claims miss a fundamental reality: no one solution can ensure GDPR compliance. For one thing, GDPR is not something you “solve” – it’s a series of best practices and processes to manage personal information better. Moreover, no single solution caters to all those aspects now. Even if it did, it could not guarantee GDPR compliance.
Leading up to GDPR’s “go live” date, the majority of time and effort has focused on security – beefing up firewalls, ensuring the right people have access to the information, etc. That’s a critical puzzle piece, but ultimately businesses will need a multi-tiered, multi-pronged approach for addressing GDPR requirements.
A core challenge for many organizations is the inability to connect the systems that store customer data in an effective and meaningful way, and this will only become more difficult as the volume and variety of data organizations must manage continues to increase. Modern Content Service Platforms (CSPs) that can integrate with existing systems and serve as a central hub for managing personal data can provide a consistent and accessible view of all of the information within the business. In addition, next-generation CSPS can also manage the facilitation of SARs – processing requests and delivering the results to individuals.
Organizations that do, will inevitably find themselves better equipped to avoid the pitfalls of GDPR non-compliance.
David Jones is VP of Product Marketing for Content Services at Nuxeo, responsible for developing the global go-to-market strategy and execution plan for Nuxeo’s modern enterprise Content Services Platform. He has over 20 years’ experience in the emerging technologies space across multiple
industries including big data, analytics, cloud and enterprise content management. Prior to joining Nuxeo David was Vice President of European Operations with AIIM, was CEO and Founder of a Document Management startup for 8 years and has held Product and Marketing Management roles
with Konica Minolta and Hyland. David also holds a place on the AIIM Board of Directors, the non-profit industry association. David has a holistic understanding of the challenges of stakeholders from every facet of the organization and is passionate about delivering modern, future-forward technologies and solutions that truly make a difference to organizations, employees and customers.