Thales Blog

GDPR: It’s All About Location, Location, Location

June 14, 2017

Thales Thales | Cloud Protection & Licensing Solutions More About This Author >

In my previous blog, I gave you a very brief overview of the GDPR to help put your organisation in a position to take appropriate action. But now it’s time to get more specific.

For most businesses, locating where all the personal data resides in their organisation will be the most challenging aspect of GDPR compliance. In fact, 75 percent of companies have said it would take more than a day to identify all the data sources across their enterprise. Even more worryingly, nearly one in four (23%) said it would take them more than a week.

This will present a significant problem come 25th May 2018, when the GDPR ruling comes into effect.

From this date, any organisation holding EU citizens’ personal data will be obligated to respond to a range of requests from individuals, among them (but not limited to):

  • To disclose what personal data the organisation holds about that individual
  • To erase all information that the organisation holds about that individual
  • To restrict the use of that individual’s data

Complying with these data subject requests will be near impossible if an organisation cannot locate where its customers’ personal data is stored. As such, that company will not be able to comply with the GDPR requirement, and potentially face eye-watering penalties as a result.

But what even is ‘personal data’?

The regulation’s definition is certainly extensive – including an individual’s name, visual image, identification number, online identifier (such as an individual’s computer’s IP address or a website cookie), their employer’s name, date of birth, and/or factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

This very broad definition presents a significant challenge for organisations when it comes to identifying and classifying this vast amount of information – especially when you consider how many different systems and platforms on which the information is stored.

A thorough approach to data classification is, therefore, required – both on-premises and in the cloud. Identifying personal data for an individual across multiple systems, whether that be a marketing database or a customer service system, must be a priority.

What’s more, this process needs to be applied to partner organisations and other third parties with whom you share personal data. These days, 62 percent of companies store sensitive customer data in the public cloud, and if your organisation uses a third party provider to store or handle that data – such as a cloud provider – you are still responsible for its correct handling and protection. As per the regulation, organisations must be able to demonstrate how the data is protected at all times.

It’s never been more important for a company to take stock of the personal data it collects, stores and processes. Failure to do so could mean they are unable to comply with the GDPR. The risk is too large; it’s time to take responsibility now.

In my next blog, I address how, once you have identified all the systems where personal data is housed or processed, you can assess your readiness for the GDPR. But in the meantime, you can find out more information by checking out our helpful website: Is your business fit for GDPR?