GDPR implementation is still over 8 months away, but given the scope of the new laws, most companies are deep into preparation already. The changes are pretty broad in scope and many companies are finding issues with aspects of their data management that they previously thought were fine.
There are some key areas that need to be addressed more than others though which have the potential to be the most disruptive for businesses:
One of the difficulties of complying with the new law is that there is a certain ambiguity to what’s needed, and few aspects are as ambiguous as data security.
Point 39 of the regulation states ‘Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.’ What ‘appropriate security and confidentiality’ actually represents in real life is difficult to know, which essentially means an overhaul and update to hit peak security in May 2018, then a concerted effort to maintain that same level of security moving forward.
For many companies this is a major challenge as this isn’t simply a case of having a consultant looking at your capabilities every few months, this requires almost full-time monitoring of security moving forward to make sure that ‘appropriate security and confidentiality’ is maintained. The difficulty is that what is appropriate today, is going to be out of date in one week and could be out of date within days with the current pace of change within data security and the those who threaten it.
Communication & Compliance
Another key element to GDPR is communication, something that may require a completely different set of skills that most data teams currently possess, ie communicating externally with the subjects of their data collection.
One of the key elements of the GDPR is that people who’s data is collected can request it at any time. One of the key parts of the legislation says ‘Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object.’ This essentially means that companies must create new mechanisms that allow their customers to send requests for their data and receive it in a reasonable time.
This creates a number of issues, not least that those who deal with data need to make sure that everything is constantly in easily readable and useable formats at all times. Communication mechanisms also need to be put in place to not only send out data in a timely and efficient way, but also new systems to clarify identities also need to be created as the opportunity for those trying to steal data is so much greater at the same time.
To achieve both of the above, data governance is going to be key. Data needs to be stored, secured, and accessed fast, which requires regular governance, from making sure that the data that is stored is up to date and accurate.
At the same time as being applicable to the GDPR, this data also needs to be used for its primary purpose, ie by data scientists at your company. How data is being used, the results of it and the results of analysis that brings up new data then needs to be accurately stored and handled.
It is a never-ending job and one that is not common around the world, with the data skills gap currently meaning that more companies require these exact skills than people exist who exist to do the job. This presents yet another challenge to companies looking to enact GDPR effectively.
In order to make sure that data is being effectively secured, communicated, and managed, the most essential things that companies need to do is to make sure they have the skills to undertake these changes. As GDPR is only 8 months away, this work needs to be done now or they will quickly find themselves behind and potentially falling foul of the regulations.
This means hiring people or consultants who can oversee these changes and putting in place a training program to have every member of staff understand what they need to do in order to comply with GDPR, and more extensive training for those who will need to oversee these these elements in the future. Without these kinds of skills and knowledge around dealing with data it ultimately doesn’t matter about doing any of the above for May 2018, because the flexibility of the regulation forces companies to constantly upgrade and maintain their databases and systems. This can’t be done by consultants alone, instead there needs to be the skillset in-house, if for nothing more than instantly dealing with issues that could arise.