As of this writing, we are now less than one month away from the implementation of the General Data Protection Regulation (GDPR) deadline. Even if you aren’t familiar with GDPR, you’ve probably been getting messages from websites and applications with which you have an account, telling you about their new privacy rules. It’s just happenstance that these messages are coming right after the Facebook debacle, but GDPR is something that any organization doing business with the European Union will have to address.
Yet many organizations, especially smaller businesses, still aren’t prepared. One reason given is confusion about the regulations: Do American companies need to worry about this, since it is a EU compliance? How do you manage the data at rest? What tools are effective with its management?
I had the chance to ask Yann Guernion, Product Marketing Manager for CA Technologies’ Automation Business Unit, about GDPR in the hopes of clearing up some of the confusion. Here is our conversation:
Sue Poremba: What are the top challenges companies face with GDPR?
Yann Guernion: As with any compliance challenge, the most difficult part is ensuring processes run as they should, and that you are able to monitor and prove it. GDPR affects multiple lines of business, including HR, Legal, Marketing, Finance, IT and Procurement. Compliance can be especially tough for enterprises with large and complex environments. Many organizations have grown their customer databases through disparate, siloed systems, then have tried to integrate them through a hodgepodge of connections. All have to be gone through as part of GDPR compliance. Smaller businesses might take advantage of SaaS providers to manage their customer data, reducing the scope of their own necessary GDPR compliance efforts by leveraging compliance measures already taken by their external providers.
Poremba: What’s the best way to handle data at rest—is it encryption? Is it another approach? And why?
Guernion: Encryption can be a good solution for production systems, and usually data in such types of systems is rarely hacked. However, the danger comes from moving data. Many companies have implemented DevOps in order to deliver new features and services as fast as possible to customers. DevOps teams need fresh test data at each and every project’s development iteration to validate against. This data comes directly from production systems and cannot be encrypted in test systems without breaking application features. So, personal information needs to be anonymized so that developers and testers can execute test cases, all while staying in full conformance with GDPR. In that event, automation is a key asset to enabling delivery of anonymized test data at pace, as you cannot imagine manually preparing hundreds of test data sets per day. This is especially critical in environments producing large amounts of data, such as SAP.
Poremba: How will automation handle the data at rest differently from other solutions available? What are the benefits of using automation?
Guernion: GDPR’s accountability requirements enforce companies to implement appropriate technical and organizational measures to ensure and be able to demonstrate that processing is performed in accordance with regulations. From a process standpoint, this can create significant costs for organizations, and potentially overload teams involved in the processes. Moreover, manual processes can cause many concerns: they are not reliable because they only depend on an employee’s willingness to strictly follow procedures. They are not scalable, because when activity levels increase, it is not always possible to add more manpower. And they are not easily auditable, because at any time you need to know who has been doing what, when and where. That’s why automating processes involved in data management can be a great support for GDPR compliance. Automated processes are documented, do not rely on humans and are fully traceable.
Poremba: What kind of benefits will American consumers/citizens see from GDPR?
Guernion: GDPR, as with other data regulations in various countries, may challenge American customers to think about the use of their personal data. Recent setbacks on the way Internet giants have been leveraging personal data could push US customers to look at solutions offered by European-based companies instead. But then again, GDPR can also become a huge advantage for American tech companies by making the web unsurfable in Europe due to stringent user consent requirements for obtaining and using information.
May 25 will be here before we know it. The more you know about what steps your company can take to protect data at rest and in transition by using automation, the better you’ll be able to protect your customers.