US companies that don't have a presence in Europe still have to be sure that they comply with the EU's privacy laws regarding personally identifiable data.
The EU’s General Data Protection Regulation (GDPR) is now law, with full compliance mandated by May 2018. As the far-reaching impact of the GDPR sinks in, a recent Vanson Bourne survey of CIOs shows headaches ahead for many companies, including those based in the US.
That’s because any US company with European customers in its database must fully comply or face big fines. The survey, commissioned by Compuware, showed 52 percent of large U.S. companies have such personal information. Data management and compliance professionals need to mobilize now because, given the scope of the changes necessary, May 2018 isn’t really that far off.
There’s a lot of fine print in this law, but a major cause of concern involves how personally identifiable information (PII) is handled. The GDPR mandates that all companies must know exactly where every instance of someone’s personal information is located. However, 78 percent of CIOs surveyed admit it’s sometimes difficult to know exactly where all their customer data resides.
Simply finding this data doesn’t sound that challenging, right? However, the increasing complexity, quantity, and distributed nature of business data makes it very difficult to discover every instance of a customer’s personal information across the enterprise. Under the law organizations must not only comply when a customer invokes his or her “right to be forgotten” (asking for personal data to be deleted), but they must also be able to demonstrate that they can comply. This will require organizations to shine a light on systems like mainframes, which continue to hold vast amounts of enterprise data.
Another major challenge involves limits on the use of personal customer data for a variety of business purposes. For example, the GDPR requires organizations to secure the explicit consent of customers to use personal data for purposes other than the service for which the customer has agreed. Eighty percent of survey respondents indicated they either don’t ask explicitly or aren’t sure if they ask customers for this consent. This alone will make them non-compliant.
This consent mandate creates a new hurdle for companies that conduct application testing using real production data. Such testing is widespread and offers significant benefits, including gaining the most realistic sense of how an application will "behave" or perform in the real world. Eighty-three percent of US respondents in the Vanson Bourne survey noted they use real customer data in testing processes for this reason.
However, there's an alternative approach to securing consent, and that is masking, or anonymizing, personal data before it is sent to QA teams or outsourcers. Currently, fewer than 40 percent of companies queried do this prior to using the data for application testing or analysis.
Not only does this type of masking help ensure GDPR compliance, it also helps organizations minimize the likelihood of a sensitive data leak during the testing process. This is especially critical for the 83% of respondents who share customer data with external resources to support testing.
Anonymizing doesn’t mean disguising the data itself, rather making it reasonably difficult to identify individuals. This is known as “pseudonymisation,” where it’s fine to use real customer names from the production database, as long as they are not linked to home addresses, date of birth, passport, license number, or any other identifying information.
Other hurdles in the law include the hiring of a data protection officer, though it’s not clear whether this can be an existing staffer with other responsibilities. Then there’s the cumbersome requirement to include new obligations in contracts with outside data processors, who will have some mandates of the GDPR passed along to them.
GDPR will require major changes in the way customer data is handled and used, and many US firms need to take note. While it may seem like there’s much work ahead, a silver lining of GDPR is that in the long run, it will help organizations become better stewards of their customers’ sensitive data, avoiding unnecessary mishaps and engendering trust.
Marcin Grabinski is a technical solution specialist for Compuware.
The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.