According to the "European report on data confidentiality" by Symantec,
« 92% of French organizations are concerned about their ability to be in compliance with EU's General Data Protection Regulation »
96% of the surveyed companies (in France, Germany and the UK) only have a partial understanding of the upcoming GDPR.
23% of these companies even claim that they will not at all be ready or only partially in compliance with the regulation by 2018.
Perfectly knowing that they risk heavy penalties if they don't comply.
What does this recent report tell us ? That a serious change of cultural and technological mindset is needed, and that time is of the essence. Data protection is not an easy task, especially in big organizations where any given employee has access to confidential information on customers. The GDPR is an absolute necessity for individuals regarding protection of their private information and it is bound to bring a positive impact to businesses if they're ready to play the game and respect the rules. [Read the GDPR text here]
Who is in charge of data compliance ?
Within the framework of the new regulation, personal data can only be collected legally under strict conditions and for justifiable reasons. Besides, the companies which collect and manage personal data will have a double obligation :
- To respect the rights of the concerned people (aka the data subjects) : access, correction and deletion rights…
- To protect personal data against any losses, thefts and accidental or voluntary misuses.
The stakeholders in charge of privacy, often refered to as data controllers and data processors depending mostly on their level of responsibility, have different tasks and therefore different needs :
- The Data Protection Officer is the correspondent and the warrant towards clients about the respect of their rights.
- The Data Processing Officer is the warrant of the conformity and traceability of data, ensuring that the data retention rules are respected.
- The Data Security Officer is the warrant of the protection of data privacy in production databases and other test environments.
What are the next steps to take ?
Every stage of the information lifecycle is concerned by the GDPR, from the collection to the deletion of data. Every organization has to start answering these internal questions : how do we access data, who can see what, to what purpose, who decides what is sensitive data, what happens in case of a data breach ?
These are all obvious and genuine questions, but not so easily answered in the present state of big data management in most companies.
We all know the countdown has begun and the deadline is fast approaching, do not waste a minute !