As the years go by, there is increasing focus on the protection of personal information around the world. Over time we have seen US HIPAA, US GLBA, Canada’s PIPEDA, the EU Data Protection Directive 95/46/EC, and others around the world. The latest, most comprehensive, and the one that is the front and center of concern to organizations is the EU General Data Protection Regulation 2016/679 (GDPR), which replaces the former directive.
The GDPR strengthens and unifies data protection of individuals in the EU. Where the former directive required each country to pass national legislation that was not consistent, the GDPR is a regulation and not a directive and does not require further national legislation. Full compliance for organizations starts May 25, 2018, and applies to any organization that stores, processes, or transfers the personal data of EU residents. It does not matter if the organization resides in the EU. Fines can be stiff, going above €20 million or 4% of global revenues of an organization, whichever is greater.
The regulation defines personal data as: “Personal data is any information related to an individual, whether it relates to his or her private, professional, or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
This is a complete program that needs to be managed on a continuous basis to be compliant and minimize risk of exposure in the GDPR regulation. Organizations that attempt to manage this in documents, spreadsheets and emails will find that this approach will lead to inevitable failure. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that are difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active data protection risk monitoring.
To address GDPR, organizations should avoid manual processes encumbered by documents, spreadsheets, and emails. They should look to implement a solution that can manage the range and context of GDPR requirements and processes to manage compliance consistently and continuously in the context of distributed and dynamic business.