Survey Shows US CIOs Getting A GDPR Headache

US companies that don't have a presence in Europe still have to be sure that they comply with the EU's privacy laws regarding personally identifiable data.

The EU’s General Data Protection Regulation (GDPR) is now law, with full compliance mandated by May 2018. As the far-reaching impact of the GDPR sinks in, a recent Vanson Bourne survey of CIOs shows headaches ahead for many companies, including those based in the US.

That’s because any US company with European customers in its database must fully comply or face big fines. The survey, commissioned by Compuware, showed 52 percent of large U.S. companies have such personal information. Data management and compliance professionals need to mobilize now because, given the scope of the changes necessary, May 2018 isn’t really that far off.

There’s a lot of fine print in this law, but a major cause of concern involves how personally identifiable information (PII) is handled. The GDPR mandates that all companies must know exactly where every instance of someone’s personal information is located. However, 78 percent of CIOs surveyed admit it’s sometimes difficult to know exactly where all their customer data resides.

Simply finding this data doesn’t sound that challenging, right? However, the increasing complexity, quantity, and distributed nature of business data makes it very difficult to discover every instance of a customer’s personal information across the enterprise. Under the law organizations must not only comply when a customer invokes his or her “right to be forgotten” (asking for personal data to be deleted), but they must also be able to demonstrate that they can comply. This will require organizations to shine a light on systems like mainframes, which continue to hold vast amounts of enterprise data.

Another major challenge involves limits on the use of personal customer data for a variety of business purposes. For example, the GDPR requires organizations to secure the explicit consent of customers to use personal data for purposes other than the service for which the customer has agreed. Eighty percent of survey respondents indicated they either don’t ask explicitly or aren’t sure if they ask customers for this consent. This alone will make them non-compliant.

This consent mandate creates a new hurdle for companies that conduct application testing using real production data. Such testing is widespread and offers significant benefits, including gaining the most realistic sense of how an application will "behave" or perform in the real world. Eighty-three percent of US respondents in the Vanson Bourne survey noted they use real customer data in testing processes for this reason.

However, there's an alternative approach to securing consent, and that is masking, or anonymizing, personal data before it is sent to QA teams or outsourcers. Currently, fewer than 40 percent of companies queried do this prior to using the data for application testing or analysis.

Not only does this type of masking help ensure GDPR compliance, it also helps organizations minimize the likelihood of a sensitive data leak during the testing process. This is especially critical for the 83% of respondents who share customer data with external resources to support testing.

Anonymizing doesn’t mean disguising the data itself, rather making it reasonably difficult to identify individuals. This is known as “pseudonymisation,” where it’s fine to use real customer names from the production database, as long as they are not linked to home addresses, date of birth, passport, license number, or any other identifying information.

Other hurdles in the law include the hiring of a data protection officer, though it’s not clear whether this can be an existing staffer with other responsibilities. Then there’s the cumbersome requirement to include new obligations in contracts with outside data processors, who will have some mandates of the GDPR passed along to them.

GDPR will require major changes in the way customer data is handled and used, and many US firms need to take note. While it may seem like there’s much work ahead, a silver lining of GDPR is that in the long run, it will help organizations become better stewards of their customers’ sensitive data, avoiding unnecessary mishaps and engendering trust.

Marcin Grabinski is a technical solution specialist for Compuware.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing