Filter by/
Region/  All
Type/  All
Sorted By/  Most Recent

GDPR compliance: act in haste, repent at leisure

By / / In Best practice /
Most business leaders now have an awareness of GDPR and its requirements. They’re keen to select and implement technologies to aid GDPR compliance. But important foundational capabilities should be addressed before technical controls for data protection are deployed.
GDPR compliance, mist around GDPR lifts

The EU General Data Protection Regulation will come into effect from May 2018. While there is still some uncertainty over how it will be enforced, maximum fines for non-compliance are significant enough to have captured executive-level attention. Now that senior decision makers understand the requirements, they are keen to roll-out enterprise-wide data security initiatives in readiness. At this point, it’s vital that marketers convey their day-to-day needs to avoid being cut off from valuable sources of insight in the future.

Get ready to get tech-ready

Aberdeen’s benchmark survey results consistently show that organisations are more strongly orientated towards implementing technologies than laying foundations. That is, they are heavy on the ‘fire’ aspect of data protection, but lighter on the ‘ready’ and ‘aim’. This is risky. At one end of the spectrum it could result in pockets of data being unprotected. At the other, unnecessary red tape could hinder the work of marketing and data professionals who need ready access to data for insights and decision making.

Before investing in technologies for data security, two fundamental areas need to be addressed: data discovery and data governance.

Data discovery is the first critical step of an effective GDPR strategy. It involves establishing how much personal data is held, where it is stored, who can access it and what access patterns are normal. While it sounds very basic, most organisations don’t have this knowledge. They hold a lot of data and are continually generating more. It’s not all stored in structured databases, either. The majority is unstructured and held in multiple file formats, from documents, presentations and spreadsheets to webpages, emails and video content. It may be on-premises, in the cloud or across a diverse range of platforms, devices and applications.

Once data discovery is complete, governance needs to come under scrutiny. This is about understanding how data is handled, controlled and processed. Data should be categorised to ensure that protection measures and controls are proportionate and cost-effective – not all data needs to be protected under GDPR. Establishing policies for the way different classes of data are handled by human users and automated business processes can facilitate smooth day-to-day operations in line with GDPR requirements.

Six tactics for GDPR compliance

Dealing with data discovery and governance issues upfront facilitates more informed decision making. Strategies for compliance with GDPR primarily aim to reduce the likelihood of loss, destruction or damage of personal data. But at the same time, it’s important to provide a productive, friction-free environment for users and automated processes. Enterprise-wide initiatives for safeguarding data also need to consider the core business processes that required the data in the first place.

There are many innovative technologies available, providing a wide range of controls. However, our analysis has revealed that even the most sophisticated solutions use a combination of just six fundamental approaches. Some of these approaches render data anonymous, meaning that GDPR stipulations do not apply. This is ideal for enterprise-wide initiatives and means marketing and data professionals can continue extracting value from data assets.

  1. Do nothing

Not all data needs to be protected, so don’t waste time and resources on it. This underlines the importance of identifying and categorising data at the outset.

  1. Manage access

Set up a centralised store for personal data and only provide access to authorised, authenticated users.

  1. Monitor and filter usage

The solution should offer visibility of personal data that’s being accessed and distributed as well as flagging data movements that potentially violate security policies.

  1. Encrypt the data

Encryption helps protect the confidentiality and integrity of personal data. Developing a common approach to managing the lifecycle of encryption keys supports a greater scale of encryption and reduces the total cost of ongoing management.

  1. Substitute non-data for data

Approaches such as tokenisation can be used to substitute sensitive information with random values while maintaining the length and format of other fields to minimise the impact on business processes.

  1. Apply persistent controls

Rights management solutions can control how data is used even when it leaves the boundaries of enterprise-managed computing infrastructure.

Strike the right balance

GDPR wouldn’t matter quite so much if data wasn’t so essential to revenue-generating business operations. Personal information needs to be used and shared while also being protected.

There may be less than a year to go before GDPR enforcement begins, but unless time is taken to properly identify data, where it is stored and how it is handled, decisions surrounding its protection will be ill-informed. Marketers need to engage with the decision making process to ensure both data usage requirements and data protection requirements are met.

Find out how can you align your sales and marketing team to create value for your customers and deliver faster growth at a special ‘Data & Content’ event, being held in London in September: click here for more information.

Have an opinion on this article? Please join in the discussion: the GMA is a community of data driven marketers and YOUR opinion counts.

Read also:

The GDPR consent dilemma: is there an alternative?

GDPR and your data: check you comply . . . then check again

 

Judith Niederschelp
Author: Judith Niederschelp

Judith Niederschelp is managing director of Aberdeen Group Europe, a specialist in data-led marketing for technology companies. She has more than 20 years’ international experience in the industry and a deep-rooted understanding of the B2B sector. www.aberdeen.com

Leave your thoughts

Related reading

  • Keep up to date with global best practice in data driven marketing

  • This field is for validation purposes and should be left unchanged.