Its ramifications are global, mandating that all data used within firms, including data used in testing, must be anonymized and secure. This data regulation will affect not just companies that operate in Europe, but every company around the globe that touches data of EU citizens. Penalties for non-compliance are steep– up to 4% of annual turnover/revenue or €20 million, whichever is greater.
Given the many process requirements and the potential fines, organizations need to ensure they have a good understanding of the GDPR and how this affects their “Data Lifecycle.” Potential process and technology changes will take time to implement, so there is a clear need for organizations to continue to take broad steps toward full compliance as the deadline approaches.
Sample rules of the GDPR
A few key things to know about the regulation…
- Consent – Consent must be given by clear affirmative action, the terms of which must be set out in an intelligible and accessible form and clearly distinguishable from other matters. The definition of consent must include all relevant information, such as the nature of the data that will be processed, the purposes of the processing, the identity of the data controller and the identity of any other recipients of the data. Silence or inactivity will not constitute consent.
- Data minimization and purpose limitation – How an organization uses personally identifiable information (PII Data) must be given by consent. That consent has to be specific to the processing operations, and the controller cannot request open-ended or blanket consent to cover future processing. This means organizations can only collect as much data as is required to fulfill the reasons for which consent was given, and must ensure that it is kept only for as long as needed and used only by those who need it. Responsibility is placed on data controllers to specify the legitimate interests for which they are using data, whether statutory or contractual.
- Personal data erasure at the moment it is requested – This is a biggy. GDPR rules mean that data cannot be collected and provisioned indefinitely, AND organizations will need to know exactly:
- Where personal data is located;
- When the data was collected;
- Who’s using it; and
- The purpose for which the data is being used.
For organizations that store data inconsistently, for example in uncontrolled spreadsheets and across different environments, it will be extremely difficult to guarantee that there are no instances where data is being used beyond the states’ purpose, or that data has been retained too long.
Three examples of personal data use
Think about that. The GDPR requires that organizations know exactly where an individual’s data is across their systems, so that it can be deleted upon request. Philip Howard of Bloor Research gave three great examples of the massive challenge to implement this…
- Personal data for testing: Anyone can now contact their bank and flat out say “I do not want you to use my data, masked or otherwise, for development and testing purposes!” How will the bank comply? If the bank makes copies of their production database for testing purposes or takes subsets, they must out any personal data. Anywhere that personal data is used (test systems, developer laptop, on row 254 of a random spreadsheet) it has to be located and removed.
- Personal data for marketing analysis: There’s another issue. I can contact a shoe manufacturer and say “Don’t use my data for analyzing deals targeted to me!” If that happens, how call centers offering the “next best offer” becomes extinct. If you are doing real-time analytics how do you exclude my data from the rest of the stream?
- Cross-border issues: Does your IT shop have one set of systems for the EU and others in other parts of the world? Or do you have one superset of applications that are deployed (parameterized) according to geography? How will you manage that personal data across those borders and systems? Or find my data if I come calling!
So how prepared are most organizations in complying with GDPR? In a GDPR study by Vanson Bourne commissioned by CA Technologies, respondents shared their thoughts on how they think the rule will affect them:
- 90% admitted the GDPR will impact their organization;
- 91% say it will impact the way they “use personal data”;
- Only 46% of all respondents are confident that their testing will be compliant;
- Only 1/3 of respondents are completely confident that they can erase every instance of a customer’s (test) data without delay; and
- 88% foresee technological challenges presenting compliance. Top 2 technological changes were:
- Sensitive Data stored inconsistently (54%)
- Multiple copies of production data stored across network (48%)
A summary of this data is found in this easy to read GDPR infographic.
How to get started
Even though the clock is ticking, it is not too late to start or step up your journey toward compliance. This video shows specific tools that can be used to help organizations embrace GDPR’s principles. And earlier this week, CA hosted a webcast that is worth the watch, “Are you ready for the GDPR? One year out.”
Nationwide Building Society also recently provided a helpful example of how they are embracing GDPR requirements in an article in the UK’s QA Financial publication. Richard Jordan, Testing Service Practice Manager, talks about how they used CA Test Data Manager for a “Data as a Service” model in testing by delivering masked, subsetted, and synthetic test data to test teams that need it.
The time is now, and we can help. Check out CA’s GDPR microsite for more info on the complex provisions within the GDPR, steps you should be thinking about as you continue your compliance journey, and information on specific CA products and solutions that can organizations can use to help manage their data inventorying, storage, and compliance needs.