A further issue is that the regulation calls for companies that collect data not just to comply with it, but also be able to demonstrate that compliance.
Demonstrable
“That means that you need software to audit a lot of these processes,” Tozer said. “But a lot of companies and public sector businesses out there have got their back-ups and archives fragmented over a number of different products. It’s going to make not only the compliance side difficult, but also the side where they need to be able to prove that they’re compliant.”
If you are on the path to becoming GDPR compliant and are attempting to rewrite your processes, put in better policies and do all of those things that are going to align you to the guidelines, will that make you 100% compliant? No, David Moseley, Veritas
According to David Moseley, global solutions lead for information governance and GDPR for Veritas, it remains the fact that despite extensive media coverage, many companies are still unprepared for the changes that GDPR will bring.
Not yet started
“In December, we launched some new research that showed 54% of organisations that responded had still not started their journey—and that was 54% of IT decision makers, so it’s pretty remarkable. At the same time, awareness is growing. It’s just that it’s not necessarily turning into action,” he said.
While highly regulated areas such as the financial services sector may be further down the line, Moseley said that the public and private sectors are still getting their heads around the concepts.
“I also think that the time of year is a factor. We’re coming into a lot of year-end and quarter-end for companies and what you’ll probably see is activity picking up after April when the new financial year has started. It’s at that point that project plans will be put in place and budgets put aside,” he said.
This begs the question, if a company decides to address the pressures GDPR presents, is it too late?
Driving accountability
“I think what the regulators are trying to do is drive accountability and good data governance where that hasn’t existed before. So, if you are on the path to becoming GDPR compliant and are attempting to rewrite your processes, put in better policies and do all of those things that are going to align you to the guidelines, will that make you 100% compliant? No,” Moseley said.
“Some companies are huge and have a lot of data to go through, but some are smaller and may be able to do it. We have spoken to the information commissioner’s office, and it is trying to drive this because so many organisations have put data governance to the back of the queue. They are now bringing it to the front.”
Veritas is insistent that rather than seeing the GDPR as a negative thing, companies should instead view it as a positive development for their industries and for society in general.
“There’s a lot of fearmongering in the press because of the size of the fines—it’s like the Y2K issue all over again. There is a lot of momentum on the negative side, but most organisations should see this as the information governance project they’ve always needed to do but haven’t had the chance,” said Moseley.
“Most companies are stuck on technology refresh cycles and have tech debt going back two years. At the same time, many companies have collected data for a rainy day, with the intention of one day putting it through a big data engine and extracting value from it.”
Dark data
However according to Moseley, almost 50% of data that organisations are sitting on is dark, meaning they don’t know what it is and don’t know where it resides. In some cases, it’s also orphaned and the original owner has left the organisation.
But how a company deals with its data says a lot about it. Moseley points out that the likes of Facebook, Uber and Airbnb thrive on data and are at the forefront of governance as well.
“In contrast, many companies that weren’t born in the digital era and have been around a while probably still have paper-based records, and have probably pursued a data storage strategy of just buying more storage. They often don’t know what’s on their storage. They just store more and more data until the hardware is full, and then they buy more.”
GDPR is intended to make firms more accountable and transparent with what they’re doing with data, because by definition what they’re storing is other people’s data.
“It’s information about you and me and they are custodians of that data, so what the law is bringing in is better responsibility,” Moseley said.
“If you’re going to take my data and I get a service from it, then I need to know that you are bound by a new set of modern codes. We need a regulation that is up to the standards of what we can do with computing in 2017 and beyond.”
Subscribers 0
Fans 0
Followers 0
Followers