The deadline for GDPR compliance is May 25, 2018. Many companies are feverishly working to get appropriate data protection policies and tools in place. The bigger issue is that maintaining compliance isn't just a matter of putting technology in place. In order to keep data protected, companies need to develop a culture of GDPR compliance. Employees need to understand that even seemingly innocuous, routine business procedures like creating a new spreadsheet containing a database extract can create the risk of a GDPR violation.
Implementing a GDPR Culture
In a survey conducted by Veritas, almost all companies (91 percent!) admitted their current cultures around data governance are poor. The potentially substantial penalty for failing to comply with GDPR rules has companies thinking of ways to change that. In the survey, 88 percent plan to emphasize the significance of GDPR with training, rewards, penalties, and contracts that make GDPR compliance part of the employment agreement. In as many as 25 percent of businesses, employees who don't live up to their commitments may even lose their bonuses.
Creating the GDPR-compliant culture begins by mandatory training that reaches all affected employees. The employees who need to be informed make up almost the entire organization: clearly the IT team needs awareness, but so does business management, sales and channel teams, the legal department, the finance team, and any departmental data user who has access to data tied to any individual from the European Union.
The goal of the training is mostly to increase employee awareness, so that they think about the potential consequences of actions that are as ordinary as creating and distributing a report. This is important for business users who make requests of IT, the IT developers who build reporting and other applications, and for business users who create reports using desktop software.
Your business culture needs to include a process for getting new data sources, like spreadsheets, under control, and employees need to understand this is their responsibility. Every employee is responsible for adhering to GDPR's key requirements:
- users' personal data is collected only with permission
- users' personal data is used only for purposes they agreed to
- users can request to review their data and have it corrected or deleted
- any data breaches must be reported within 72 hours
Once employees have an understanding of GDPR and the restrictions it imposes on how data is used, you can use tools to support them in adhering to the GDPR regulation. For example, the e-Discovery Platform from Veritas is now integrated with a Classification Engine to tag data and easily apply pre-defined policies to ensure it is managed appropriately.
No matter how advanced the technology you bring to your business, compliance with GDPR is ultimately in the hands of the employees and managers who work with the data. If you're unsure how to start building a compliance culture and what the best technology choices are for GDPR compliance, contact dcVAST. Our team is expert in using Veritas technology to solve many data management and compliance issues, including GDPR.