eu-cpu
Master Data Management

EU GDPR: Why are firms lagging on preparation?

The following is a contributed article by Ragini Bhalla, senior director, global Communications, Blancco Technology Group

How many data breaches do we hear about on a daily basis? Too many to count on both hands, that’s for sure. How often have we heard about the EU’s proposed General Data Protection Regulation? The answer again is a lot. This was the subject at the heart of a panel event in London last month. Data security and IT experts from ADISA, Symantec Corporation, WRAP, Blancco Technology Group and ViaSat delved into the nitty gritty of GDPR – where it stands today, why it’s so important, the still-grey areas that need clarification like definitions of profiling and breaches, the still undecided legal fine amounts, stumbling blocks standing in the way of companies and actionable steps to prepare.

Here’s the thing: we know GDPR is coming and could be finalized as soon as December 2015. It’s been in the works for over four years and the latest proposals for the maximum fine are up to two to five percent of an organization’s annual turnover, or €100 million. Despite the severity of punishment and fines, there’s still a lot – and I do mean a lot – of businesses that don’t even know what GDPR stands for, let alone have the correct tools or IT processes in place, according to a study from Ipswitch. That’s frightening on so many levels.

During the panel event, three corporate hurdles came into focus that could explain why companies might be lagging on preparing for GDPR.

Dwindling IT budgets contradict urgency for data protection compliance

It’s easy to tell someone they need to do X, Y and Z to comply with laws and then impose heavy fines if and when they fail to do so. But if you expect companies to do more to comply with data protection rules, then IT budgets need to reflect that demand. For companies operating in the European Union, the odds of compliance might seem bleak when worldwide IT budgets are expected to decline 5.5% in 2015, according to Gartner.

Rather than just say, “hey, we’re trapped and we just won’t be able to comply,” I would argue that IT execs and CIOs need to get creative and team up with different departments within the organization to make the business case to the C-level executive team to increase the IT budget, or at least increase the amount that’s allocated specifically to data removal and destruction.

Legal and IT teams are operating too far from each other

One issue that kept coming up from both the panelists and the attendees was that companies were likely already separating out internal preparation for GDPR into two buckets – legal compliance and information management. But the more I kept hearing this, the more it became clear it was a big part of the problem itself.

Rather than operate in silos and not speak with each other, I’d argue that a company’s legal and IT teams need to establish regular in-person meetings to talk about specific challenges that are standing in their way and then come up with a combined “priority list” of actions that need to be taken to either correct IT security flaws or gaps, or to create net-new systems and protocols that will bring them closer to compliance with GDPR.

Companies are stuck between a rock and a hard place - trying to balance personalization with privacy

Personalization. It’s all anyone cares about these days. When I open up the Nordstrom mobile app on my iPhone 6, I want to feel like the experience is customized to my personal needs, wants and preferences. But personalization has come to mean so much more these days. Even the ‘things’ we’d consider to be the most basic of items – like refrigerators, thermostats and even doorbells – aren’t basic anymore. We can sync them up with our smartphones, tablets and laptops. In turn, these ‘things’ digest and analyze all of the data about our behavioral patterns and usage tendencies and use that data to make the user experience feel as personalized and relevant as possible. We expect it so much that when we don’t feel like a company or product is meeting that promise of personalization, we’ll walk away (literally) and give our business and our money to a competitor.

If you ask anyone, even me, I’d say personalization is a good thing. It’s just the nature of the beast. But I’d also say it comes with real downsides that we can’t just shove under a blanket and pretend don’t exist. We have to ask ourselves – and the manufacturers of the products – how that data is being destroyed once the product is deemed no longer usable or is being resold, or in the case of rental cars, being rented to the next driver. Otherwise, we’re just dirtying our privacy out in public for others to see. No one and no business wants that, and they surely can’t afford to have that happen.

Rather than focus on the conflict between personalization and privacy, we need to completely change the way products are conceived, designed and built. Instead of having engineers, designers and developers holed up in a room drawing out concepts on a white board, the IT and data/asset management teams need to be there too and involved in product development at the very start. Only then will we see products built to deliver on the promises of personalization and privacy, instead of the either/or scenario that we tend to see these days.

PREVIOUS ARTICLE

« If Mozilla did art: Two Hyde Park exhibitions tackle tech

NEXT ARTICLE

News Roundup: Nokia phones, Amazon cargo and narwhals »
author_image
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail