Governance Risk and Compliance

Implementing GDPR: Lessons Learned

[Cloud Insights, Cloud Compliance, Advanced, 5 minute read, Governance Risk and Compliance]

Next month, GDPR will turn two-years old. Many executives around the globe were concerned about the impact it would have on their organizations, and that concern wasn’t misplaced: in the first year, there were 446 cases of GDPR violations enforced outside of the EU. And a few high-profile cases have proven that being GDPR-savvy is a requirement of doing business in any sector, and any part of the world. 

The last two years have been a learning curve for us as well. While there’s still no such thing as “compliance-in-a-box,” we were hard at work  even before GDPR was rolled out. And the results of that hard work are solutions, including Cloud Compliance, ONTAP Data Security and Cloud Secure, to help clients track and secure all their data, making compliance simpler. 

Looking back on our own and our clients’ experience, it’s clear that GDPR is mostly good news when it comes to data security and consumer confidence. But it will require a couple of key paradigm shifts when it comes to thinking about how we collect and use consumers’ data. 

GDPR Requirements 

The basic requirement of GDPR is that any organization processing personally identifiable information (PII) of EU residents must follow certain provisions and standards. Under GDPR, organizations must: 

  • Request informed consent for use of personal data in clear, plain language 
  • Give users the “right to be forgotten”, letting them view, opt out, and delete their PII data 
  • Guard sensitive information like sexual orientation, race, health, political, and religious beliefs 
  • Let users know of any data breach 

Although NetApp—among other companies—began warning clients early on about the implications of GDPR, and offered tools to simplify the transition when GDPR finally rolled out, many companies were stymied by the regulation’s lack of clarity. They weren’t sure how the restrictions applied outside the EU or how compliance would be tracked and enforced. 

On the big day—for which 56% of organizations had taken steps to prepare—only 45% actually had a structured process in place, according to a survey of 340 executives worldwide. More alarmingly, on a Ponemon Institute survey of 1,000 companies, 60% of tech companies said they weren’t ready. 

The main reason GDPR raised so much alarm when it first rolled out was its steep penalties for non-compliance: the greater of up to 4% of a company’s annual revenues, or €20 million. 

While some companies doubted the EU’s ability to prosecute GDPR violations beyond EU borders, test cases to date have proven that the regulations indeed have very sharp teeth. High-profile stings so far include a €50m fine for Google, a £183.39 million ($230 million) fine for British Airways, and a $123 million ticket for the Marriott hotel chain. 

If nothing else, it’s clear that the EU is serious about enforcement. So, for both organizations that are already compliant and those still working to get up to speed, it can help to look back and see what we can learn from the challenges and mistakes of the first two years under GDPR. 

Stumbling Blocks 

Looking over some of the high-profile penalty cases, as well as building tools like ONTAP Data Security to aid clients in compliance, two big mistakes stand out. And both are “mindset” problems rather than specific IT problems. 

Firstly, and believe it or not, some executives are still in denial. This is the mindset that “We’re not in Europe, so GDPR doesn’t apply.” Today, we’ve seen from the headlines that that’s simply not true. Any organization handling data from EU users must beware. 

Second, however, is a more deeply planted mindset. Since the dawn of the internet, the corporate approach to user data has been “grab as much data as possible—we’ll figure out how to use it later.” GDPR demands a paradigm shift, toward a mindset of respect for individual control over one’s own data. 

This includes learning from best practices when it comes to collecting, storing, and protecting user data. A few quick points can serve as a launching pad for a comprehensive compliance strategy: 

  • When collecting data, minimize identifying data wherever possible. 
  • Tag all PII data for provenance tracking, including how and where it was collected and where it is stored, which can aid in retrieval and/or deletion. 
  • Examine archiving practices: In the past, many organizations have automatically archived all production data, including user records. Today, this increases the surface of exposure. 
  • Outline deletion procedures that cover all copies of PII data in any records and archives locally, in the cloud, or on any backup medium. 
  • Build transparency with regular file and activity audits; there are many useful tools to aid with this, such as the security features of NetApp Cloud Insights.  
  • Establish a breach policy, including clear guidelines on how and when to report breaches. Work with a qualified legal team to fully protect your organization—winging it is not the correct approach! 

When it comes to development and testing, there are specific challenges to ensure that apps are built from the ground up with GDPR in mind: 

  • Understand the legal roles of data controller (if you own an app and are collecting data, this is probably you), data processor (any third party accessing or hosting your data), and data subject (the user whose data you’re collecting). 
  • Whether designing a new app or redesigning an existing app, make privacy and limited data collection a key component. 
  • Consider adopting a DevOps approach if you haven’t already. DevOps emphasizes automation and transparency—which can help ensure GDPR best practices. 
  • Integrate security, including user data security, tightly into the ongoing loop of development and distribution. If you attended re:Invent last year, you’ll know how important the shift toward DevSecOps has become, and this is yet another argument for a DevOps approach, which can integrate security and data compliance right into the development cycle. 

New call-to-action

Data compliance also comes up in other areas. Is real user data being used for testing? This could be a breach of GDPR, because teams handling this data lack the authority under GDPR. Understanding all the ways data is used during testing can help create fully compliant procedures. 

Back in 2018, many executives felt a lack of clarity about what GDPR actually meant. For better or worse, many of our most important lessons have been learned by observing as legal definitions were clarified within the courts. Today, we have much more clarity—and more reason than ever to comply. 

Rising to the Challenge 

We’re all aware that GDPR compliance comes with a price tag. According to Symantec, the GDPR budget for the average Fortune 500 company is $16 million, which adds up to an estimated $7.8 billion for those 500 companies alone. 

But the good news is that most companies won’t be paying nearly so much, especially if they’ve already done some planning. The company profiled in the case study above had already started keeping transparent records of data sources, which helped ease the transition. There are also off-the-shelf products that can help spot vulnerabilities and patch security holes. 

But as mentioned up front, what is likely a greater challenge than cost is overcoming those outdated mindsets. In particular, considering how valuable user data can be, giving up this resource can seem like a step backwards. As The Verge commented back in May 2018, “reorganizing under GDPR is a lot like an episode of Hoarders.” 

The age of data hoarding may be over. But GDPR compliance also offers significant benefits—beyond just avoiding fines. Foremost among these is building trust and transparency—something today’s consumers are increasingly demanding anyway. 

  • One study put consumers’ “trust in business” down around 43%, with social media being particularly low, an effect which may rub off on other companies. 
  • According to an Ovum survey, the United States is the least trusted country when it comes to privacy rights, behind China and Russia. 
  • Showing respect for users by explaining how their data is used can start rebuilding trust. 

Finally, data security isn’t going to end with GDPR. Other jurisdictions are already considering their own standards, like the California Consumer Privacy Act (CCPA). We’ve laid out the key differences between GDPR and CCPA in this new infographic. And with companies like Microsoft demanding that the U.S. move in that direction, the shift seems inevitable. Organizations that are GDPR compliant will find those next transitions far simpler to navigate. 

Bringing the Team on Board 

Data breaches often result from sloppiness, so the entire organization must work together to ensure rigorous data handling. Think of GDPR compliance as just part of a quality user experience. 

How can we bring everyone in our organization together in the fight for data privacy? It starts by communicating—from the top down—the importance of compliance, so that all team members understand. That includes getting real about the steep penalties for non-compliance, as well as focusing on the benefits. 

Take advantage of tools to help in the fight. True, compliance may still seem to come with a prohibitive price tag. But since it’s front-of-mind for every single organization, over the last two years, tool vendors have brought features on line to appeal to this need, often at no extra charge. They’ve integrated many features into existing products that can help bring the overall price point down significantly. 

For example, NetApp Cloud Insights was originally created to make it easier and more intuitive to monitor complex hybrid environments through a single consolidated view—a function our users overwhelmingly love. But watching our clients struggle to monitor users’ access to data, we realized how we could make the servicet even better. 

Knowing that one of the leading data threats is insider breaches, whether intentional or unintentional, we added the Cloud Secure feature to watch for and analyze unusual access patterns. Cloud Secure acts as an information security watchdog in the fight against misuse of cloud-based data by malicious or compromised users, adding on value for existing customers. 

GDPR compliance can’t be only about clearing regulatory hurdles—it’s about creating a mindset where data protection comes first and foremost, and where vendors work hand in hand with clients to make compliance as hassle-free as possible. 

Embracing GDPR 

Restrictions on user data are only going to get tougher and apply in more places. So it’s time to embrace GDPR rather than fear it, because it’s not going away. 

Looking back on lessons learned will help every organization move towards a more compliant future and avoid the costly mistakes of othersWith the right approach, compliance can be an important tool in relationship-building. When we show respect for user data, when we communicate clearly, when our processes are transparent, users trust us more. 

One of the most important lessons learned is choosing wisely from among the tools which are already out there to make compliance simpler and headache-free. For more information on how NetApp can help you meet GDPR and other regulatory data requirements, see our white paper or get in touch.

-