Companies are preparing to wield more stick and less carrot to get employees’ data-handling practices in line with new European Union general data protection regulation (GDPR) rules, a new survey has found in the wake of reports that many companies are still struggling to discover ‘dark data’ that they have collected but not indexed.
Fully 88 percent of organisations surveyed in the recent 2017 Veritas GDPR Report, which surveyed 900 business decision makers across 8 countries, said they plan to use staff training, rewards, penalties and contracts to develop GDPR-compliant behaviours amongst their employees.
Some 47 percent will add mandatory GDPR compliance into employment agreements, with 41 percent set to introduce employee disciplinary procedures for GDPR compliance violations and 34 percent planning to use rewards to reinforce GDPR-compliant behaviour.
A quarter of respondents will consider withholding benefits and bonuses from employees that are found to have breached GDPR practices – heralding potentially dramatic consequences for employees that don’t take the new requirements seriously.
“The misconception around data is that customers have a good handle on it,” Veritas ANZ managing director Louis Tague told CSO Australia. “That is challenging to do, because what can be key customer data may be locked up in a structured database but we all know how common it is to extract that data into Excel or unstructured data sources. The risk of breaches, and of managing that information, is now more complex than ever.”
GDPR regulations, which will take force on 25 May next year, pose what some have called an “existential threat” for companies as they carry penalties as high as 4 percent of global annual revenues for a failure to protect customers’ personally identifiable information (PII).
The legislation applies to any company, in Australia or elsewhere, that is managing the PII of European Union citizens – which make up a not-insignificant percentage of Australia’s population. This has caught many local companies unawares, with potential consequences should they fail to rapidly execute the procedural and cultural change necessary to implement proper data-protection practices.
Protecting data requires that a company know exactly what data it has and where it is stored or used – and that is proving to be a sticking point for companies that are still struggling to stay compliant with PCI DSS controls for financial data.
Such companies will also struggle to get their heads around their data holdings and ‘dark data’ that falls outside of official system protections, Tague warned – potentially causing a GDPR breach through something as simple as a lost USB drive.
Addressing these discrepancies requires a comprehensive framework for understanding the data and what it looks like (Veritas, for one, offers a formal Dark Data Assessment while other firms offer GDPR-specific data protection impact assessments); the acquisition of tools to understand and organise that data; and methodologies for protecting data from breaches – and the business from the interruption they cause.
“The best response is modernised data protection to ensure that organisations can be back up and running with their critical data and back to business as quickly as possible,” Tague explained, calling the necessary framework “the new ILM” – a reference to information lifecycle management tools that helped organisations prioritise their data and match it to different forms of tiered storage infrastructure depending on the protections and frequency of access that data required.
ILM was designed to keep storage costs under control, and derivative methodologies will fuel infrastructure mechanisms will help control data at the application and network layers. However, the need to back that with cultural change highlights the enormity of the task facing Australian organisations in the runup to GDPR’s implementation.
By making GDPR compliance personal – the threat of losing a bonus is enough to get even the most jaded employee paying attention – the surveyed companies are indicating their intention to make data protection a core business value.
Yet their enthusiasm isn’t only about avoiding penalties: 95 percent of respondents saw “substantial business benefits” to GDPR compliance including better data hygiene, accuracy and policy enforcement (92 percent); cost savings (68 percent); more insights for a better customer experience (68 percent); a stronger brand reputation (59 percent); better data protection (51 percent); and better revenue and market share (45 percent).
Such benefits may await those who are compliant – but getting there is the first order of business. A recent Gemalto study found that just 40 percent of surveyed executives believe their organisation carries out all procedures in line with data protection laws, while 14 percent said they wouldn’t trust their own organisation to store and manage their personal data.
“The cultural shift is going to be the biggest challenge,” Tague said. “Regulators are very much focused on ensuring that PII is treated like a strategic asset. And organisations will be far better off by having improved data hygiene – and they will be able to generate significantly better insight from their data, as well as reducing the risk to their brand reputation.”