GDPR seems to be on everyone’s lips at the moment. While the regulation doesn’t come into force until 2018, preparation has already begun for many organisations. For some, however, GDPR still raises a number of questions and queries.
We asked the former Head of Fraud, Risk and Security for Vodafone UK and now Exonar’s Chief Operating Officer, Julie Evans, what GDPR means for Exonar, what we will be doing about it and what the potential implications for other UK businesses are.
What does GDPR Mean to Us and Our Clients?
GDPR significantly increases the level of proactive management of Personally Identifiable Information (PII). It increases the requirements on any organisation that deals with the personal information of EU citizen customers or employees. The fact is that no-one is clear on what the post-Brexit world of GDPR will look like in the UK but it will still impact most UK organisations.
The UK exit from the EU will not be complete before GDPR is implemented. There will be a significant period of overlap following the triggering of article 50 and, even after Brexit, there is a strong possibility that similar regulations will be sought by the ICO and demanded by international companies who will look for ‘adequacy’ in UK law to ensure that the UK can compete and operate seamlessly across Europe and the world. Further, GDPR requires adequate privacy protection in states outside the EU, if EU companies are to store their data there. In all, it seems nearly inconceivable that privacy of personal information will not be a significant factor in the coming years.
As well as increasing privacy requirements, GDPR introduces significant penalties for non-compliance and also broadens the scope of what is considered PII. Although somewhat lacking in absolute clarity, the Regulations define PII as being information that enables the identification of a person.
What does GDPR mean for Exonar?
As a relatively new company Exonar is not burdened by legacy of old IT infrastructure although we must ensure the way we hold data is compliant with GDPR. For us, this is primarily employee and shareholder data. In common with most organisations the first task is to find and create a register of the data. Even a relatively small organisation like Exonar uses multiple different platforms to store information; documents, spreadsheets, PDFs and presentations, located across file shares, email and in cloud drives. It’s not an insignificant issue, however, we do at least have our own Exonar software at our fingertips to enable us to map where this information is being stored.
As well as identifying where all of our PII is, we’ll also need to designate the role of Data Protection Officer (DPO), an individual within our organisation directly tasked with identifying and protecting individual’s information within our organisation, it does not need to be a full time role but there must be clarity of accountability and we are re-apportioning our job roles to accommodate this requirement.
How can We and Other Organisations get Ready for GDPR?
Understanding the key changes proposed by GDPR is the first step in understanding how to be compliant with the regulations. The table below (courtesy of consulting firm EY) highlights the key areas that need addressing:
Depending on the level of organisational maturity, the new regulations could therefore demand changes to resourcing, training, process definition, applications as well as how the data is handled. The requirements could be significant.
How Is Exonar Going About GDPR Compliance?
I am confident that the leadership team of any organisation would tell you that they would love to have the insight to their customer journey from a customer perspective. GDPR for us is a fantastic opportunity to use our own product and to experience the output. We have set up the ‘discover’ phase of the Exonar journey to crawl all of our data stores. Given that we only hold a couple of terabytes of data we achieved this in our first afternoon.
Our next phase is to ‘understand’ what we ‘discovered’, determining what PII was where, who put it there and why. We’re able to do this through the use of our software’s querying function, it’s “Find More Like This” capability for identifying all data relevant to a topic and the results graphs and charts that show me what information we have, in what format it’s in and in which application of filestore it’s been put.
Now I know what I’ve got I can act upon it so our next phase in GDPR readiness is to review our policy and process as well as our use of applications and communicate our recommendations clearly to the whole team. It does take time so it’s perhaps a good thing that we are not leaving compliance with GDPR until the last minute…