Presented by Hitachi Data Systems

By now, most companies are familiar with the European Union’s General Data Protection Regulation (GDPR) that takes effect in less than a year. It seems not a day goes by without a troubling report being published about how underprepared most organizations are and how they fear GDPR will impact their bottom line.

The GDPR makes it easier for EU citizens to find out what data companies hold on them, and gives them more details about how their data is handled and what it is being used for. It targets organizations of all shapes and sizes that do business in the EU (or provide goods and services to EU citizens), regardless of their physical location. The consequences of not being compliant after the May 25, 2018 deadline could be severe — up to four percent of a company’s global revenues or €20 million (whichever is greater).

While the introduction of the GDPR brings certain responsibilities for how we protect the privacy of customers and employees residing in the EU, this work is nothing “new.” Many companies, especially those in highly regulated industries such as finance and healthcare, went through similar governance exercises years ago with Y2K and Sarbanes-Oxley.

Hitachi Data Systems is a large multinational company that sells to European businesses — many of which are in these most regulated industries — and has employees in the EU, which has implications on how we treat customers and how we manage our employees’ sensitive data. Hitachi offers solutions to help companies govern their data, from creation to archiving and takes a Privacy by Design approach to supporting our customers and employees.

What we see is that most organizations already have the technology and policies they need to comply and demonstrate compliance; it’s just a matter of applying these tools to the exact context of GDPR’s added privacy around data. For example, reporting data breaches within 72 hours, appointing a data protection officer, giving individuals the right to transmit their data from one organization to another and obtaining users’ consent — all are requirements that have been previously solved. Others, in less regulated industries, might need to start with housekeeping to find out what data they have and where it’s housed before determining how it’s being used from the perspective of GDPR.

I’d like to cut through the hype around GDPR and help companies and IT leaders use the new regulation as an impetus to re-educate their employees on what the company is already doing and consider what more it should be doing. Start with these three steps.

1. Identify systems already in place

A good first step would be to do a complete audit to determine the processes and policies a company already has in place and determine how thoroughly they’re being followed. Start by following the data: How is data stored and processed for EU citizens? Who is responsible for the data? Where is it located, and what is its path from point A to B? In GDPR speak, this is a “data protection audit” or mapping exercise as pre-work for demonstrating that a company has a register.

By doing this, you’ll understand if your organization has the proper technology and procedural controls in place to protect private data, or it will shed insight onto the tools you may need to demonstrate alignment to the articles set forth in the GDPR. Organizations should welcome GDPR and use it as a catalyst to modernize outdated business processes and support digital transformation initiatives.

2. Use ‘design thinking’

This phrase defined by IDEO means “a human-centered approach to innovation that draws from the designer’s toolkit to integrate the needs of people, the possibilities of technology and the requirements for business success” — and can help solve the problem and reframe business processes accordingly. In the past, CIOs focused on compliance in terms of policies and procedures but not on the bigger impact to users and the business’s bottom line.

CIOs today have an opportunity and obligation to help their organizations implement critical processes, policies and procedures that will yield long-term business success, and there are those who would argue that GDPR is good for business. Ultimately, it’s not going to decrease the volume of data being collected but will be an opportunity for companies to better categorize and understand their data.

At the root, it’s about accountability, and companies can apply the Accountability Principle. A lot of companies are probably out of compliance with existing regulations as they were determined to be unduly burdensome. Now companies must demonstrate the actual proof of their compliance with GDPR to data protection authorities. This will require design thinking to use what we have and provide artifact of compliance.

3. Educate employees

Data privacy policies already exist in the enterprise, and although written down, they might not be meticulously followed within an organization. This is an opportunity for the company to educate employees on the policies and processes already established for collecting and handling data, and to create a culture of respecting privacy and security.

This exercise is not futile, since GDPR could one day become a global de facto privacy standard. The consumer privacy movement will almost certainly carry over to the U.S. and other countries as consumers demand greater control over their data and regulations that are more up to date.

In addition, companies may find business value in the work, in this age of Digital Everything. The increasing amount of data collected enables companies to better understand:

  • the impact of medicines on patients;
  • how their products and services are perceived and used;
  • how to improve their products and services;
  • customers’ needs and expectations;
  • and partnerships they should enter into.

Companies could actually improve the way they run their business and make more money off their data. Maybe a thank-you to the GDPR initiative is in order.

Renee McKaskle is CIO of Hitachi Data Systems.

Sponsored posts are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. Content produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact