An insider look at GDPR as a business enabler to enhance enterprise data privacy.
There was a time where life was simple, and staying in complete control over all data in the business was a manageable task. But fast forward to today’s application economy with IT infrastructures being more intertwined than ever before and GDPR compliance is now more complex than ever. Consider the Connected Mainframe for example, where organizations are integrating the mainframe with Linux, mobile applications, APIs, and Java to drive digital transformation and significant ROI (300 percent ROI to be precise), but the integrations result in data moving on and off the platform – and ending up in places not realized.
Digital transformation meets data privacy with the European Union’s new regulation, the General Data Protection Regulation (GDPR). GDPR compliance is required by any organization that processes personal data of EU citizens, and helps businesses adopt more standardized data protection policies and processes. GDPR compliance takes full effect in May 2018, and those that fail to comply face administrative fines up to €20,000,000 or up to 4 percent of global turnover, whichever is higher. But, many organizations aren’t sure where all of their corporate data on the mainframe is located, whether it’s being managed to policy, and the steps needed to get started on their GDPR compliance journey.
Mainframe and GDPR – what’s the connection?
The implications for the mainframe and GDPR are vast. The increased use of mobile devices alone are driving exponential growth in transaction volumes, and that data contains massive amounts of PII. This personal data is spread across the organization, widely used, transformed and accessed in different ways by different people, meaning application-based controls are not enough for complying with the regulation.
The key first step toward achieving GDPR compliance for mainframe data is beginning with the identification and classification of the data, and determining which data contains PII information. Based on that classification, you will have a view of what personal data is being stored and where, and therefore a view at the levels of risk in your organization. If personal data is circulating outside the assigned channels and flows, it’s important to understand why and assess the associated risk to that data. And it’s crucial to ensure that as scanning and classification is performed, the data needs to stay on the mainframe, as off-boarding the data only increases its risk.
Once an understanding of the data landscape is achieved, protection mechanisms need to be deployed – one form being tagging. The tags will provide the necessary metadata that describes the data and its regulatory aspects, which include how long can it be stored, what it can be used for, and what happens at the end of its life. In addition to tagging, organizations can and should also leverage encryption, masking, tokenization, and tighter access controls.
Treat the mainframe like any other platform
The mainframe continues to transact over 80 percent of corporate enterprise data, so treating the mainframe as any other platform and including in detailed risk assessment is essential to simplifying GDPR compliance. And when you think about it, GDPR really is a business enabler for increasing enterprise data privacy. The more unclassified, unknown data we have in the business, the higher our risk posture is. GDPR forces organizations to “purge” the data that is no longer needed, which proactively enables organizations to stay in complete control over PII: a win for the business to avoid compliance fines, and a win for the customer through confidence that their information is secure.
So, the moral of the story is that staying in complete control of sensitive data is complex. But by leveraging GDPR as a business enabler and taking the proactive steps to increase data privacy across the business, risks can be mitigated and GDPR can be simplified. Are you ready for May 2018? View our on-demand webcast where we explore how to strategically and tactically comply with GDPR across all of the platforms that power your business, mobile to mainframe.