During the journey to adhere to the GDPR, many organizations stumble on frequent challenges in “proving” that personal user or client data is protected. Capgemini targets the four things that organizations need to do to ensure compliance with the new security mandate.
EU General Data Protection Regulation (GDPR) compliance is a vast topic, embracing legal, technology, process, strategy, and marketing. The data protection component is just one part of the bigger picture. As an IT organization, Capgemini isn’t in the business of auditing or providing legal advice on your GDPR position. Instead, we are one of the few companies with an end-to-end portfolio of services and solutions that give clients the practical capacity to manage and safeguard their data in line with GDPR requirements.
During the journey to adhere to the GDPR, many organizations stumble upon challenges and difficulties in “proving” that personal data is being protected. The four things that organizations need to do are:
- Transform their governance and practices (new roles and processes)
- Protect both structured and unstructured data all along their lifecycles
- Detect and report your data breaches and leaks (within 72 hours)
- Reduce IT (and security) costs (for example by deploying digital and cloud services and relying on global, trusted partners).
Capgemini has the experience and knowledge to help clients in their journey towards GDPR compliance because we already have lessons learned for most potential challenges and difficulties. We know how to assist and advise any organization that is struggling to provide evidence that it is complying with GDPR requirements. The regulation, unlike a directive, does not require that legislation be passed at national level, meaning that it will enter into force by May 2018 regardless of whether EU Member States are ready or not.
Let us dig in deeper into the four things all organizations must do:
1. Transform your governance and practices
Even though the GDPR is about protecting personal data, it will also affect how we perform in comparison to how we work today. Since the GDPR was approved and adopted by the EU Parliament in April 2016, not much has happened in terms of organizational changes to current governance and practices. In some organizations, a DPO (data protection officer) was appointed in the false hope that “now we have someone in place so we should be good.” In point of fact, however, a DPO is not necessarily always needed.
According to GDPR requirements, a DPO must be appointed by: (a) public authorities, (b) organizations that engage in large-scale systematic monitoring, or (c) organizations that engage in large-scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, you do not need to appoint a DPO. However, I would recommend that all larger organizations evaluate the benefits of having one focal point that truly understands the GDPR and the business impact a breach would have. Governance can be performed automatically, with the CRO (chief risk officer) or someone in a similar role such as HOC (head of compliance) provided with 24/7 access to the current status of the organization’s adherence to the GDPR via an online dashboard in order to support the DPO.
2. Protect both structured and unstructured data
Gathered and stored information is (usually) classified as either structured on unstructured. The former is the data stored in fields in a database and the latter is normally presented in eight different ways: e-mail messages, word processing documents, videos, photos, audio files, presentations, webpages, and any other kinds of business documents. Although such files may have an internal structure, they are still considered “unstructured” because the data they contain doesn’t fit neatly in a database.
In addition to structured and unstructured data, there is also a third category—semi-structured data. Semi-structured data is information that doesn’t reside in a relational database but that does have some organizational properties that make it easier to analyze. Examples of semi-structured data include XML documents and NoSQL databases.
Structured data is mostly protected by encryption, with clear separation of access based on “need-to-know” and clear ownership and delegation of encryption keys. Unstructured (and semi-structured) data, however, does not have the same rigorous protection, as it is more difficult to establish. The way forward is to ensure that structured, semi-structured, and unstructured data is managed in adherence to data protection laws and the best way to manage this data is through various software tools. Examples include:
- Big data tools—Software like Hadoop can process and store unstructured and structured data that is extremely large, very complex, and rapidly changing.
- Business intelligence software—Also known as BI, business intelligence is a broad category of analytics, data mining, dashboards and reporting tools that help companies make sense of their structured and unstructured data for the purpose of making better business decisions.
- Data integration tools—These tools combine data from disparate sources so it can be viewed or analyzed from a single application. They sometimes include the capability to unify structured and unstructured data.
- Document management systems—Also called enterprise content management systems, a DMS can track, store, and share unstructured data that is saved as document files.
- Information management solutions—This type of software tracks structured and unstructured enterprise data throughout its lifecycle.
- Search and indexing tools—These tools retrieve information from unstructured data files such as documents, web pages, and photos.
3. Detect and report your data breaches and leaks
As I mentioned above, the move toward new technologies will also change overall governance and how we practice compliance within organizations. It will enable organizations to print and save time stamps of GDPR adherence and detect and report (within 72hrs) any breach “that may pose a risk to individuals” in accordance with the new regulation. Resilience may be the key to enabling organizations to detect and report data breaches effectively but it is also dependent on people/staff being trained in handling data breaches on time. In conclusion, changing the way we work is not only a recommendation, it is a crucial must and, “resistance is futile.”
4. Reduce IT (and security) costs
Organizations must assess which data will be collected and stored, which data is no longer relevant, and where this data will be located before they select the software tools that best fit their data protection needs. The less data is needed, the lower the costs for its processing, storing, detection, management, governance, and erasure.
Capgemini helps clients reduce IT (and security) costs thanks to our strong cybersecurity divisions comprising over 3,000 specialists, including architects, assessors, and specialists in security, forensic and data protection, who consult each client to define the ideal aspect and tools to ensure the best ROI (return of investment). We have the capabilities and partnerships with the world’s best service provider for sensitive data protection for any organization—small, medium, large, regional, or global.
Follow the link to find details about the GDPR and references. For further discussions, please reach out by leaving a comment in form below and we will contact you shortly.
Christer Jansson is head CoE cybersecurity for Capgemini Sweden. Read more Capgemini blogs here.
