The EU General Data Protection Regulation will come into effect from May 2018. While there is still some uncertainty over how it will be enforced, maximum fines for non-compliance are significant enough to have captured executive-level attention. Now that senior decision makers understand the requirements, they are keen to roll-out enterprise-wide data security initiatives in readiness. At this point, it’s vital that marketers convey their day-to-day needs to avoid being cut off from valuable sources of insight in the future.
Get ready to get tech-ready
Aberdeen’s benchmark survey results consistently show that organisations are more strongly orientated towards implementing technologies than laying foundations. That is, they are heavy on the ‘fire’ aspect of data protection, but lighter on the ‘ready’ and ‘aim’. This is risky. At one end of the spectrum it could result in pockets of data being unprotected. At the other, unnecessary red tape could hinder the work of marketing and data professionals who need ready access to data for insights and decision making.
Before investing in technologies for data security, two fundamental areas need to be addressed: data discovery and data governance.
Data discovery is the first critical step of an effective GDPR strategy. It involves establishing how much personal data is held, where it is stored, who can access it and what access patterns are normal. While it sounds very basic, most organisations don’t have this knowledge. They hold a lot of data and are continually generating more. It’s not all stored in structured databases, either. The majority is unstructured and held in multiple file formats, from documents, presentations and spreadsheets to webpages, emails and video content. It may be on-premises, in the cloud or across a diverse range of platforms, devices and applications.
Once data discovery is complete, governance needs to come under scrutiny. This is about understanding how data is handled, controlled and processed. Data should be categorised to ensure that protection measures and controls are proportionate and cost-effective – not all data needs to be protected under GDPR. Establishing policies for the way different classes of data are handled by human users and automated business processes can facilitate smooth day-to-day operations in line with GDPR requirements.
Six tactics for GDPR compliance
Dealing with data discovery and governance issues upfront facilitates more informed decision making. Strategies for compliance with GDPR primarily aim to reduce the likelihood of loss, destruction or damage of personal data. But at the same time, it’s important to provide a productive, friction-free environment for users and automated processes. Enterprise-wide initiatives for safeguarding data also need to consider the core business processes that required the data in the first place.
There are many innovative technologies available, providing a wide range of controls. However, our analysis has revealed that even the most sophisticated solutions use a combination of just six fundamental approaches. Some of these approaches render data anonymous, meaning that GDPR stipulations do not apply. This is ideal for enterprise-wide initiatives and means marketing and data professionals can continue extracting value from data assets.
- Do nothing
Not all data needs to be protected, so don’t waste time and resources on it. This underlines the importance of identifying and categorising data at the outset.
- Manage access
Set up a centralised store for personal data and only provide access to authorised, authenticated users.
- Monitor and filter usage
The solution should offer visibility of personal data that’s being accessed and distributed as well as flagging data movements that potentially violate security policies.
- Encrypt the data
Encryption helps protect the confidentiality and integrity of personal data. Developing a common approach to managing the lifecycle of encryption keys supports a greater scale of encryption and reduces the total cost of ongoing management.
- Substitute non-data for data
Approaches such as tokenisation can be used to substitute sensitive information with random values while maintaining the length and format of other fields to minimise the impact on business processes.
- Apply persistent controls
Rights management solutions can control how data is used even when it leaves the boundaries of enterprise-managed computing infrastructure.
Strike the right balance
GDPR wouldn’t matter quite so much if data wasn’t so essential to revenue-generating business operations. Personal information needs to be used and shared while also being protected.
There may be less than a year to go before GDPR enforcement begins, but unless time is taken to properly identify data, where it is stored and how it is handled, decisions surrounding its protection will be ill-informed. Marketers need to engage with the decision making process to ensure both data usage requirements and data protection requirements are met.
Find out how can you align your sales and marketing team to create value for your customers and deliver faster growth at a special ‘Data & Content’ event, being held in London in September: click here for more information.
Have an opinion on this article? Please join in the discussion: the GMA is a community of data driven marketers and YOUR opinion counts.
Read also: