Don’t panic, but GDPR deadline day is now two years away

Today marks the exact two year countdown for organisations to become compliant with the European Union’s General Data Protection Regulation (GDPR).

According to research from Veritas, 52 percent of all information currently stored and processed by organisations around the world is considered “dark” data – its actual content and value are completely unknown.

In addition, 13 percent of businesses don’t analyse the value of their data at all, and only 15 percent of the data businesses store is business-critical.

It is estimated that 33 percent of companies’ data is redundant, obsolete, or trivial (ROT).

As the 25 May 2018 compliance date approaches, David Moseley, global solutions at Veritas, said: “General Data Protection Regulation aims to catapult data protection into the era of big data and cloud computing, ensuring that data protection is a fundamental basic right and is regulated uniformly and consistently throughout Europe.”

He said: “Organisations need to build a compliance checklist and task force to avoid massive fines that could be devastating to any business. Business leaders in charge of implementing compliance procedures should also consider a GAP analysis and risk assessments to ensure that their organisations data and information assets are protected.”

The maximum fines for GDPR non-compliance are the higher of €20 million and 4 percent of an organisation’s worldwide turnover.

Countdown to compliance checklist:

· The first step that any organisation will need to take is to identify the personal data it holds and to make an inventory of all its processing activities, including storage

· Identifying personal data across the business is extremely difficult and there needs to be greater checks and balances in place to ensure that organisations have visibility of personal data stored across the business

· The next step will then be to work out if that personal data is really needed, and to delete what cannot be lawfully retained

· Finally, organisations will have to establish methods to ensure that going forward, “dark” data hoards do not reappear and that all personal data is managed in accordance with the law

· In addition, the data controlling organisation will need to be certain that if somebody makes a request in relation to personal data, the tools are there to ensure that the data can be found swiftly and efficiently and the data can be deleted, marked as restricted, corrected or ported as appropriate

· In the background, the principle on data security requires that measures should be taken to prevent loss, damage, destruction, and unauthorised and unlawful processing of personal data. This includes an obligation to ensure data integrity, availability and business continuity

@AntonySavvas