What an exciting opening keynote here at VMworld® in Barcelona! You’ve just heard Pat Gelsinger talk about the EU General Data Protection Regulation (GDPR). The GDPR legally mandates that organizations protect personal data and extends its reach beyond those established in the EU to others beyond its borders. The regulation also requires that companies respect an individual’s legal right to privacy and that organizations must be accountable for the personal data they process. It sounds simple, but in getting “GDPR ready,” businesses are currently reviewing the way they handle and treat personal data, instituting and enforcing adequate business governance, policies and processes to protect that data. The fines for non-compliance could be substantial. More important, this activity makes great business sense.
As Pat said, no technology company can ensure you are fully “GDPR compliant.” That’s like saying you’re “traffic compliant” when you follow traffic laws – or “out of traffic compliance” when you run a stoplight. Simply buying a Mercedes and claiming the car itself is safe will do no good if you’re stopped by the police. Aligning to the regulation requires an intimate and ongoing understanding of privacy laws, business policy, and how to act correctly in the event a problem arises with someone’s data. Technology alone cannot solve the lack of a privacy and data protection governance program.
That’s not to say that information technology doesn’t have a part in GDPR preparation and management. Technology can be leveraged as a tool aiding certain compliance functions or data protection tasks. As your organization evaluates the ways that personal data flows through the different functional groups and systems – such as email marketing, human resources or customer data – IT can determine how the data is secured. To begin, IT can align with how the organization is mapping its data. Privacy consultants may advise clients to create a current data map for personal data controlled by the business or processed on behalf of others. Answering questions like:
- What data do you have?
- Where does it go?
- Where is it stored?
- Who has access to it?
- Who is responsible for it?
- How do you keep it safe?
IT can support activities to further prepare for ongoing compliance with the GDPR, and establish the coming process and policy updates by assessing the security of personal data throughout the life of that data from creation to expiration. During this effort, IT can use the awareness gained from GDPR readiness assessments and can act as an enabler for identifying how IT secures all sensitive and confidential data such as intellectual property, financial data or contractual data, refining and modernizing its approach to data security along the way. The model illustrates a possible approach to understanding data and its inherent security requirements – what we in IT call data protection.
The intrinsic security capabilities within the VMware portfolio can provide a solid foundation for securing personal data and other sensitive information and may help support business policies which enforce elements of the GDPR (such as security and accountability).
Preparation for the GDPR is a complex, cross-company effort likely requiring outside guidance and definitely requiring the enlistment of your internal subject matter experts. But while at times daunting, GDPR readiness projects force us all to take a critical look at what data we hold and how we manage that data and information holistically. By improving our business processes to protect personal data, we protect both our customers’ information and our own.