One and a half years ago, the General Data Protection Regulation (GDPR) went into full effect. While this regulation originated in Europe, the vast international reach of it has transformed the way companies look at issues related to data privacy. But what has changed, and what can organizations do to ensure data is protected properly?

Despite the regulation, there is still a lack of data privacy protections in many organizations. This is likely because the GDPR guidelines required a significant amount of work to put in place. Organizations had to:

1. Identify the information that needed to be protected
2. Determine where that information resided across the company (in paper documents, emails, and online systems)
3. Take action to protect that data

Due to the short timeline and complexity of GDPR, many companies did not fully comply with the regulation on the date it took effect.

At the same time, the introduction of GDPR dramatically increased the general public’s awareness of data privacy issues. The most obvious change is that since the introduction of GDPR, users must give consent to the collection of their data when visiting websites.

Uncertainty Prevents Meaningful Action

While there is a noticeable increase in news and activities related to data privacy, companies are still unsure exactly how they can ensure they comply with the GDPR. Johannes Glasl, Managing Director of EURO Real Estate Solutions, Germany, lists reasons for this uncertainty. Certainly, three of the biggest issues for many companies are:

1. Information—There is too little binding information about many processes related to the GDPR, either from the data protection authorities or from post-GDPR court decisions, that would clarify open questions.
2. Clarity—There is a lack of clarity around data that is processed by third-party service providers. For example, what happens when a data-capture service processes data on behalf of another company? In some cases, these service providers are regulated by a contract that dictates how the data may be used. However, in many cases these third parties simply transfer the data between two parties. Currently, companies can only refer to old data protection laws as guidance.
3. Timeframe—It is unclear how long you have to store personal data. GDPR allows you to keep personal data only until the objective for which the data was required is achieved. This guideline could be interpreted very differently by different companies.

Surely, many companies are waiting to see what happens with the GDPR before they take further action. Given the lack of certainty on the part of corporations on how to correctly implement the GDPR and the increased public awareness of data privacy issues, it’s very likely that a data privacy tsunami will hit soon.

That is why now is a perfect time for companies to revisit their GDPR policies, procedures, and practices. Companies must ensure they are prepared for the wave of GDPR data privacy problems when they happen. The consequences will be huge. Not only do companies risk losing the faith of their customers if they are found to have failed in protecting data privacy; they can also be fined up to 4% of their annual revenue.

Put a Data Management Strategy in Place Now

To avoid damage to their reputation and avoid hefty fines, companies should have a strong data retention plan to protect the data that is under their care. This plan should include the following components:

• Retention policy—A corporate data retention policy that addresses how the various business requirements and data security and privacy regulations apply to the business. This plan must be reviewed and approved by the legal, risk management, IT, and business teams.
• Security—A secure IT infrastructure that ensures the information is safe from both external threats (e.g., by installing firewalls) and internal threats (e.g., by implementing access controls)
• Process—A method or process for securing the data and documents under the company’s control according to the policies no matter where it resides: production systems, archive repositories, or content management systems

Many companies assume that putting policies in place and setting up a secure IT infrastructure and access controls (components 1 and 2 above) are sufficient to ensure the security of the data it holds. However, as proven by the countless news stories of cybercrimes and data breaches, these measures are often not enough.

Don’t Overlook Threat Posed by Legacy Systems

Companies should consider the fact that GDPR-relevant information can reside in many different systems, which may not have the same level of security measures as primary production systems. This includes legacy systems. Properly securing data according to regulations can be very difficult if you have a diverse mix of newer and older systems used by many business units across various locations. This is because disparate systems frequently have different security features and protections.

Therefore, when putting a data retention plan in place, companies should double check that all secondary and related systems (i.e., archive repositories, content management systems, and more) meet the same data privacy and retention standards as their primary enterprise systems (i.e., enterprise resource planning (ERP), customer relationship management (CRM), and more).

They should also check whether there are any legacy systems still operational that may have been excluded from the original GDPR assessment. These dormant systems also pose a significant risk to GDPR compliance. Companies frequently keep older systems running so that they can extract information for occasional reports or audit requests. However, if companies do not actively use these systems, the IT team may not know to keep up with the latest security patches. The result: They begin to lose the knowledge of how to find and extract data from those systems. Consequently, companies with legacy systems should consider decommissioning older systems.

Recommended Approach

The following approach is the most effective way to ensure data privacy is protected:

1. Archive the data in legacy systems, so that it is frozen and cannot be altered.
   
   
2. Move archived data out of legacy systems into a modern content repository. The data should be transferred to a centralized and standardized archive. This is preferably one that is part of the company’s data management infrastructure so it can be actively managed by the IT team or a service provider. This makes it easier to secure the data properly because the IT team can apply the same rules and security measures to all information at the same time. It will also make it easier to retrieve the data using a standard procedure if the company needs to respond to audit requests or if they are asked to provide data to an individual, if requested, who exercises the “right to be forgotten” under the GDPR.
   
   
3. Once the data is archived, fully decommission legacy systems. Beyond the efficiencies created by eliminating the time and effort required to operate and maintain the legacy systems, decommissioning legacy systems also reduces the time and cost associated with complying with the GDPR and other data privacy regulations.

Preparing for Data Protection Impacts

Perhaps the data privacy tsunami hasn’t hit yet, but companies will start to feel a ripple effect when it hits other organizations. By being prepared and putting the correct data protections in place, companies can be compliant with the GDPR, avoid fines, and prevent potential damage to their reputations—in short, they ensure they will be able to weather the coming data privacy storm.

Do you like our content? Join the GPMI community to get free education and articles straight to your inbox! 

Dr. Werner Hopf is responsible for the Serrala Corestone solution suite for Data and Document Management. He specializes in SAP Information Lifecycle Management initiatives including archiving and retention, compliance, and data privacy solutions. Werner has more than 20 years of experience in the information technology industry. Prior to joining Serrala, he worked for big and mid-sized companies across all major SAP modules. Having worked on SAP projects across North America and Europe, he has extensive expertise in global markets and is a well-known expert in the industry. Werner holds a degree in Computer Science and a Ph.D. in Business Administration from Regensburg University in Germany.