Design, deliver, and run enterprise blockchain workloads quickly and easily.
All servers and systems
Information governance across borders is an increasingly complex issue—one that's getting more attention thanks to the strict new regulations recently approved in the European Union.
The simplest way to decode Europe's complex new data privacy law is to realize it's designed to protect people, not data. Data is easy to isolate, but people cross borders (both in person and online), leaving trails of digital data everywhere they go. This data can put companies with European customers at risk of massive penalties, even if they have no facilities and few business interests within the EU.
And while the EU's General Data Protection Regulation (GDPR) is the most compelling and urgent set of privacy rules for global businesses right now, there will be more to come.
GDPR is only "the thin edge of the wedge," says David Kemp, a Hewlett Packard Enterprise business development specialist for EMEA. Non-EU countries, including Norway, Switzerland, and South Africa, are already building GDPR-like elements into their own laws to avoid problems with the EU—a major trading partner of each.
Some expect the United Kingdom to follow suit after Brexit. That expands the number of potential trading partners with which privacy issues could arise, even for companies with no current ties to the EU. And other nations worldwide may well follow suit, with rules that match or exceed the EU requirements.
One major goal of the GDPR, which was enacted by the EU in April and goes into full effect in 2018, is to protect the personally identifiable information (PII) of European citizens—even PII held in countries outside the EU, says Kemp, a British lawyer with expertise in EU privacy and information governance, banking industry regulation and compliance, and insurance industry risk analysis and management.
Any PII about EU citizens collected by any company, anywhere, in any medium, falls under the rules of GDPR (full-text PDF), Kemp says. For example, data on EU citizens who buy goods online for shipment to the EU—regardless of whether the vendor has European facilities—would have to comply with GDPR requirements. Companies refusing to comply could be punished with fines of up to 4 percent of global revenues or, in extreme cases, criminal charges and prison terms.
To enforce the rules, Kemp says, EU authorities can impede contracts, trading, or travel to the EU; suspend the banking or trading licenses of noncompliant companies; or lodge criminal charges to achieve compliance under European law. And the regulations apply to more than typical structured data. Security camera video showing an EU citizen using a passport as identification would qualify as PII that has to be tracked, audited, and forgotten, along with every other bit of PII, if the customer issued a request to be forgotten. That's far beyond the ability of most companies, which would probably struggle just to separate EU from non-EU data in their structured databases.
The records management challenge of privacy regulations can be broken down into smaller components in the same way as any other IT project can be, Kemp says. The first step is to make a complete risk assessment that identifies the types of data collected and held by a company, and the potential for compliance problems with GDPR. Questions to ask include:
The second step, he says, is to assess existing systems and decide how to update them to versions able to manage compliance with GDPR. The EU requires that privacy protection capabilities be built into one's products "by design," but effective privacy protection must also align with business goals and adapt to changes in privacy requirements or business processes, according to the International Association of Privacy Professionals.
How banks can turn digitization into a golden opportunity
Fortunately, Kemp says, the business case is there. Beyond avoiding the considerable costs of failing to comply, the records management exercise driven by privacy regulations has other benefits. "You have to dedupe or get rid of data that isn't kept in compliance with the regulation," he notes, "but what you get is defensibility, compliance—which helps avoid penalties—and efficiency that saves operational costs and gives you more ability to start mining the anonymized data that you otherwise might feel you can't deal with."
To avoid making the records management system overhaul a daunting prospect, Kemp says, it's important to break down the records being managed into smaller segments that let the company address each need separately, at a manageable pace.
"Any sensible, prudent organization will already have policies, procedures, and technology in place to provide some level of consistent governance in accordance with the 1995 EU General Data Protection Directive," he says. "You might begin by determining that all data going forward will be handled according to more complete guidelines, or begin by searching for all structured data sources and then move on to unstructured data later."
The key is to not ignore a potential threat just because it's unusual, but to follow a specific set of steps to deal with it:
As thinking—and regulation—around privacy matures globally, organizations will continually be challenged to keep up with new requirements. A smart, comprehensive approach to information governance will make the challenge easier to meet.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.