To quote Mary Shelley’s Frankenstein, “It’s alive, it’s moving, it’s alive…” The General Data Protection Regulation (GDPR) went into effect on Friday. The EU adopted the regulation nearly 2 years ago with the intention of replacing the 1995 Data Protection Directive1. As of last week, all Member States and affected businesses must comply with the requirements of the legislation. This includes any business, in any country, that collects and maintains the personal data of EU citizens.
The “bare minimum” approach to mainframe data security is no longer feasible. Enterprises cannot survive under the reign of GDPR if they cannot consistently and veritably protect sensitive information–be it in the cloud or on the mainframe. Businesses, today, are answerable to regulators and consumers alike, and must actively affect a gold standard of mainframe data security–which includes implementing security measures related to data testing, management and movement. GDPR is that standard.
GDPR compliance has been an ongoing concern for enterprises worldwide, and many of our customers have asked us “What should we do?”
At this point, enterprises managing data at scale should already have:
- appointed a Data Protection Officer, who will certify compliance with GDPR and other applicable data security laws,
- planned, defined and approved a budget for GDPR compliance that will cover additional resources required, including technology solutions and personnel,
- alerted specific teams on upcoming changes,
- engaged both “sides of the house” (mainframe and distributed) to develop a cross-platform strategy, and
- begun instituting a culture of compliance with a specific plan to train teams on company-wide GDPR policies.
So what next?
GDPR aims to re-establish individuals’ control over their personal data. Complying with the regulation means knowing your data inside and out–where sensitive information is hidden, who has access to that data, what the best method is for proving compliance–to efficiently act on customer demands. Software solutions, like CA Data Content Discovery, can help enterprises understand their information landscape by identifying lost, hidden or abandoned data and classifying that data by regulation and sensitivity level, all while keeping the data safe and on the mainframe–the most secure place for your customers’ sensitive information.
Purchasing software, however, is not in itself a security fix. Enterprises must endeavor to embed the solutions into their policies and procedures, showing “best efforts” compliance with the regulation. Technology solutions are, at least for now, still heavily dependent on people’s involvement from integration to continual tuning, and that includes building a top-down culture of compliance that encourages proper usage of technology tools. Auditors are concerned with the application of the tools–the actual use cases for proper compliance–rather than the list of available software at a company.
So remember, don’t just take the requisite steps towards compliance. Actually comply.