Any U.S. organization that handles data belonging to EU citizens now has about three months to comply with the EU’s General Data Protection Regulation (GDPR).
A big part of the process is data discovery, or locating all relevant data potentially dating back decades. A Social Security number and date of birth are just two types of data associated with an individual; there are tens if not hundreds that need to be located and recorded.
It’s nearly impossible to carry out all of the steps to reach GDPR compliance without a clear understanding of where personal data is located throughout an enterprise’s systems. And noncompliance can trigger penalties totaling 4 percent of revenues, or a maximum of $22 million.
To find out more about data discovery, Channel Partners spoke with Nick Porter, founder and technical director of Silwood Technology, a U.K.-based company that develops data-discovery software, and Rob Perry, vice president of product marketing at ASG Technologies, a Silwood partner and provider of information access, management and control.
Perry said it’s definitely crunch time for organizations impacted by GDPR.
“Estimates are that 80 percent of companies won’t be fully compliant by the deadline,” he said. “It would be nice … if they were all ready to go, but it’s not happening. In the United States in particular, we’re seeing a real uptick in the activity, particularly around discovery. The first step – aside from understanding GDPR and how that is going to affect you – when you look at your data, clearly the first step is discovery. You’ve got to find what data you have out there, and in a big organization it’s everywhere.”
Partners can help organizations by recommending the best technologies that will allow them to account for all of their data and rapidly reach compliance, and then helping them make the best use of those technologies, Porter said. A company that doesn’t have a grip on GDPR by now will need “all the tools they can get to reach compliance at this time scale,” he said.
One mistake companies are making in data discovery is focusing on more modern systems, Perry said.
“Many of these companies have data that they’ve been collecting for decades,” he said. “They need to really reach back and consider, ‘What do we have?’ and get rid of it if [they’re] not using it anymore. Part of this is data minimization, and not having data that, one, you don’t have the right to use; and two, you’re not doing anything with and it’s a risk having around. It’s really looking back through your deeper systems from the past and seeing what’s there.”
There are certain types of data that are exempt from the GDPR compliance process, Porter said.
“Part of the regulation is that the data needs to be accessible,” he said. “If you think about paper-based systems, if it’s a room full of pieces of paper … and nobody knows and there’s no index to tell you what’s on that paper, it might well be …