On two rainy London November days, technology experts, consultants, Data Protection Officers (DPOs) and more came together for the inaugural Data Protection World Forum. The expo floor was split into six theaters focused on everything from the public sector to cyber security and artificial intelligence. The diverse set of attendees and theatre topics were emblematic of the far reach of data protection concerns--no matter your area of expertise, the handling of sensitive information is an enterprise- wide issue with a range of stakeholders.
Though it's been six months since GDPR first came into effect, many organizations are still grappling with what it means for them to be GDPR compliant and what technologies exist to guide this process. Given the show's London location, a huge topic of conversation focused on the uncertain future of Brexit and what that means for UK-based companies looking to comply with GDPR. The resounding answer was “wait and see.” By establishing best practices of GDPR compliance now, organizations can only wait and hope that they are positioned effectively when Brexit occurs. This is definitely not the most confidence-inducing answer, but, at this point, is the only real option as Brexit negotiations play out.
But this goes beyond GDPR, all the way across the pond. In fact, many attendees were curious about what's happening in California with the CCPA (California Consumer Privacy Act). As one of the few American organizations presenting, our booth became a hub for conversations about the CCPA, with many eager to hear our thoughts on what is to come with a federal data protection regulation in the US. The fact of the matter is; the proliferation of consumer data protection laws is just beginning. Global organizations need to stay ahead of what is to come.
Enough talk, here's how
As the graphics on our booth suggested, people are tired of the endless discourse and beating around the bush when it comes to GDPR compliance. Many organizations start out with data mapping, but that isn't enough when it comes to taking action on SARs, for instance.
Attendees were at various different stages in their compliance initiatives—from dealing with the “low hanging fruit” of structured data to implementing enterprise- wide information governance on all content. But, to be truly compliant, one must be able to search, control, and actually take action upon ALL sensitive information they use and process, including in unstructured forms like files and emails.
ZL Tech’s CEO, Kon Leong, gave an education session about the need to manage sensitive information within file shares as mandated by GDPR, as well as a framework for assessing the different technologies out there based on your organization’s specific needs. From a practical compliance point of view, file servers must be scoured for personal data and managed appropriately through tagging, access privileges, use controls, and lifecycle management.
With this in mind, it is easy to become overwhelmed by the amount of solutions out there and their different capabilities. Leong reviewed a framework based on determining the types of data you are looking to manage, the processing depth you need (whether just a meta data scan or a full-text indexing and remediation), and the functional objectives you are looking to accomplish, from risk mitigation to enhanced efficiency.
Lastly, he noted the important distinction between cleaning up your file servers and applying long-term governance to them. File cleanups are only as helpful as the policies you have in place to manage your data continuously as it is created and used.
My final thoughts
My biggest takeaway from Data Protection World Forum was that GDPR compliance is all about “searchability”, and should be seen as an opportunity to improve operational efficiency rather than detract from it. Our CEO made a great point during his session: “GDPR compliance implemented well is the world’s best eDiscovery ECA (early case assessment).” I could not agree more. You cannot properly manage sensitive information if you are unable to perform enterprise-wide search.
Rather than just another regulation, GDPR is a chance for your organization to take control of its biggest resource: data, starting with enterprise-wide search. Records management, eDiscovery, and risk mitigation, etc. will follow. And they’re just the beginning of what you can improve when seeing GDPR compliance as the opportunity it is.