An onslaught of recent EU rulings and proceedings is posing challenges for US Internet-based companies. Recent changes include new tax rulings, content payment issues, impediments to the WhatsApp merger, and possible antitrust actions against Google.
The impact of one EU ruling — last spring’s enactment of the General Data Protection Regulation (GDPR), which contains the “right to be forgotten” mandate, explicit consent, and personally identifiable information protection, is now hitting home for many US companies. As CEO of Compuware, I recently commissioned a survey of CIOs to assess the issue. More than 60 percent of respondents said they don’t currently have systems in place to readily comply with the mandates, and 78 percent said it’s sometimes difficult to know exactly where all their customer data resides.
This isn’t just a big company problem and it doesn’t apply only to search engines. If you have European consumers buying your products or services, you must comply or face big fines by the May 2018 deadline. To be in complaince, companies have to get explicit permission from each consumer to use personally identifiable information (PII), proof that their enterprise can track and control that information across all platforms, and of course, the ability to remove every instance of personal data upon request.
Where’s my data?
Let’s double-click on that 78 percent figure. At first glance, it seems simply finding a data record set shouldn’t be that challenging, but the increasingly digital nature of business — with its widely distributed systems, platforms and external cloud-based resources — makes it difficult to monitor every instance of a customer’s PII across the enterprise.
This comes at a time when almost all companies are striving to collect and analyze more personal data and most (89 percent) consider this critical to achieving their business goals. This is the essence of the big data megatrend. Particularly troublesome is the requirement to secure the explicit consent of customers to use personal data for application testing. 80% of survey respondents indicated they either don’t ask explicitly or aren’t sure if they ask customers for such consent. This alone makes them currently non-compliant.
Luckily there’s an alternative approach: to mask, or anonymize, personal data. But fewer than 40 percent of companies queried do this prior to using the data for application testing or analysis.
What additional hurdles will you face?
So, if you’re the CIO of a US business with EU customers, what other IT hurdles will you face? There are several aspects of the regulations hidden in the fine print:
- Personal data must be kept secure, but there are few details available yet on exactly what that means.
- Under the law you must not only comply but be able to demonstrate that you can comply. So you’ll need to start some new record-keeping.
- You may be forced to hire a data protection officer. It’s unclear whether this can be someone already on staff with other responsibilities.
- You must include new obligations in your contracts with outside data processors, since some mandates of the GDPR will pass through to those outsourcers. Make note if you’re one of those outsourced data providers!
Not quite Y2K, but a necessary bridge to the future
Like the Y2K deadline, the GDPR mandate is flagged well into the future and will require significant modifications to current enterprise practices. While this will create an added burden for many organizations, the handwriting is on the wall — the consumer privacy movement will almost certainly generate similar laws in the US and other nations.
If yours is a large company, you have a lot of work ahead of you. If you’re a new venture, it will be wise to adopt the necessary systems in your first build. Either way, the time to get started is now.
You can find a full copy of the survey here.
Chris O’Malley is the CEO of Compuware Corp.