Companies everywhere are racing to comply with the European Union’s General Data Protection Regulation when it goes into full effect on May 25.
GDPR is a legal framework for data processing, movement and use of personal data in the EU, with allowances for data transfers outside the union. The EU designed the regulation to protect the privacy of European citizens, recognizing that the personal data that companies hold on behalf of their customers belongs to the individuals themselves and that those individuals have the right to control how their personal data is processed.
GDPR will have a major impact on how global enterprises store, share and use customer data. That’s because the mandate applies to any business headquartered in any country that interacts with European citizens. It will impose significant financial penalties — including up to 4 percent of company revenues — for failure to protect the right to privacy contained in the EU’s charter.
GDPR readiness is a multipronged initiative for enterprises. Much of the run-up to GDPR has been in professional services, as enterprises with European presences or operations restructure to comply on day one and thereby avoid sanctions. First and foremost, many have been instilling GDPR training and awareness at every level in their organizations, especially among data managers and information technology personnel who serve as the primary stewards of customers’ personal data.
Just as important, data professionals have been updating their inventories of all the personal data their organizations must safeguard under GDPR strictures, assess the current extent of noncompliance with the coming regulations and implement sustainable procedures for bringing their companies into full ongoing compliance. One thorny issue is the extent to which Kafka, blockchain and other platforms that manage immutable data stores can be put in compliance with GDPR’s “right to erasure” of privacy-sensitive personal data.
With barely six weeks left till GDPR comes into full force, data management providers are putting a huge push on delivering solutions that address customers’ urgent needs. No company is offering a single “magic bullet” solution to all GDPR compliance needs, but rather tactical solutions for implementing specific requirements.
Here’s a representative sample of some recent GDPR-related vendor announcements:
- Personal data recordkeeping: GDPR requires that companies keep detailed inventories of all personal data that they hold and process, as well as records on all processing of that data, so that they may assess the extent of their obligations under the regulation and implement appropriate safeguards and controls. That can prove tricky, especially considering how widespread this data is, how many forms it can take, and how its scope may grow inadvertently as it’s correlated and processed in new contexts. The big-data catalog vendors, such as Hortonworks Inc.and Informatica LLC, are putting a big emphasis on their platforms’ role in GDPR compliance. Another company addressing this is Dataguise Inc., which recently announced a software-as-a-service version of its existing DgSecure Detect solution that automatically scans and detects all enterprise-hold personal data that must be protected, erased or disclosed to data subjects upon request under GDPR. The new version now also supports detection of sensitive personal information managed in Amazon Web Services Inc. public cloud data services. It also provides authorized enterprise personnel with single-click access to view a list of databases available to them, then allows them to select those they want to scan for sensitive and personal data. It provides built-in configurable policies to help enterprise compliance personnel determine what types of data to look for and when.
- Personal-data subjects’ informed consent: GDPR requires informed, specific and unambiguous consent from data subjects on use of their personal data and requires subject consent, and the ability to withdraw consent, on uses of that data. One vendor addressing this is Pegasystems Inc., which recently announceda solution that provides customizable templates for processing customer requests for access, rectification, erasure and other rights recognized under GDPR. The templates, which integrate with the vendor’s customer engagement and application-development products, accelerate creation of automated GDPR request portals that securely retrieve customer data and orchestrate the requests across distributed enterprise systems.
- Strong authentication on personal data processing: GDPR requires strong authentication to verify identity before legitimate processing of personal data can take place. One company addressing this is Artificial Solutions, which recently announceda solution that supports strong authentication in applications with AI-driven conversational user interfaces running in multiple devices, operating systems and geographies. Specifically, the company is emphasizing that its solution can be configured to comply with GDPR’s stringent security requirements, such as streamlining the query and analysis of personal data gathered through conversational user interfaces and the ability to create pseudonyms of this data that can be used for statistical analysis even when the information has been deleted in compliance with a company’s GDPR policy.
- Fine-grained controls on personal-data transfers: GDPR requires assurance that cross-border and other transfers of personal data take place only if all parties to the transfer comply with its obligations. One vendor addressing this is Cockroach Labs Inc., which recently releasedversion 2.0 of its open-source distributed database, which has tools for building global data structures, partitioning data by subjects’ geography and enforcing granular controls on data replication by region at the database, table, row and column levels. This enables data originating from specific countries to be accessible only within that country.
Manmeet Singh, chief executive of Dataguise, discussed GDPR with Wikibon’s Peter Burris recently in the Palo Alto, California, studios of theCUBE, SiliconANGLE Media’s video studio: