EU GDPR, great marketing efforts to inform everyone about GDPR, however you have failed on Enforcement. What Citizens are demanding is to have their Personal Data Protected, and for companies that fail at this task, to have them pay a heavy price. Some U.S. partisan politicians are even co-sponsoring Data Privacy and Protection bills, suggesting significant jail time for executives that have not accepted their responsibilities to honestly report their company’s level of compliance, not IT executives but C level executives. There are many reasons for companies and executives to understand what must be done for compliancy and what processes can be followed to reach a successful conclusion.
There are a few technologies that can Discover where personal data resides within a company’s data assets and determine if this data is properly encrypted, sequestered or secured. The process has been termed a Data Protection Impact Assessment, or DPIA. Comprehensive DPIAs are the first step companies should complete in order to analyze and understand their current readiness for compliancy. It is only the first step in the complete process of reaching compliancy but gives a company an understanding of where unprotected personal data resides. The EU has said a complete DPIA, by itself, will qualify a company to receive leniency from the heaviest of GDPR penalties and may keep the ‘wolf from your door’ for a while. It is an important first step that keeps regulators somewhat satisfied but to actually become compliant a company will need to encrypt or otherwise ‘tokenize’ all personally identifiable information discovered in their data environment.
I believe companies are gambling that regulatory agencies do not have the ability, time or expertise to complete an audit of a company in a way that could not be challenged in a court of law. So far, these companies have been correct; but how long before Agencies discover or acquire software technologies that produces results quickly and accurately enough to support their allegations in a court room. The balance of ‘power’ would then be strongly skewed in favor of the regulatory agencies.
The problem has become so great that I feel the U.S. government will need to re-issue or replace our national personal identifier as most everyone has already had their SSN hacked. Pressure is building within governments to put a stop to data theft; and governments are informed enough to know that hackers will always find a way into your environment and that techniques, like encryption, are the only reliable mechanism to defeat hackers once they breach the firewalls and latest cyber security technologies.
If random audits by Compliancy Agencies become possible through the use of technology then how many years will it take your company to become compliant, one year, two years? If you have complex applications and have not completed a DPIA or POSIA (Point of Sale Impact assessment) it may take even years longer.
In reality it is the POSIA, Point of Sale Impact Assessment, that will provide the insight and direction to encrypt your data while still keeping the integrity of your revenue generating applications intact.
Digital footprints like pictures and images for the “Right of Erasure” are quite the challenge without the sophisticated technologies (biometrics, facial recognition) that can match input images to stored images. The same goes for OCR stored documents. Areas I happen to have expertise in.
I have expertise in conducting DPIAs, POSIAs and architectures and methodologies so you can actually reach, or be well on your way, to Data Compliance within a reasonable time frame. I can suggest Architectures, technologies and methodologies that will greatly assist you and your company in the process. Contact me, to determine how.