Data managers must hustle preparing for GDPR regulations

Data privacy takes a sharp turn

GDPR changes everything 180 degrees. It's my data and I'm giving you a license to use it.

GDPR takes the notion of data privacy and turns it on its head, Lofthouse said, handing control of data over to the people rather than the organizations that compile and use it. "People have said that data is the new oil, and GDPR is kind of like the new [gas]. You've got to refine to make any use of it, and if you don't handle it [properly], it blows up in your face," he explained. "GDPR is environmental legislation, it's redirecting the balance. Before, when you gave your information or data to a company, as far as the company was concerned, that was their data. They're going to use it because they own it."

Not anymore once the GDPR regulations kick in. "GDPR changes everything 180 degrees. It's my data, and I'm giving you a license to use it," Lofthouse emphasized. "If you think of it as a license for use, you have the right to ask what kind of data do you have, how are you using it, who else are you giving it to, how are you protecting it?"

Stephen Lofthouse

• Founder and director of SJL Consulting, specializing in privacy protection and GDPR compliance.
• Certified Information Privacy Professional and award-winning SAP Mentor. 
• Taught SAP at Sheffield universities for more than 10 years and at the University College London School of Management before moving into the commercial sector. 
• Born and raised in Yorkshire, England, and now living just outside London in the Hertfordshire countryside.
• Graduated from Sheffield Hallam University with a master's degree in technical consultancy (with SAP technology).
• In his spare time, tends to his orchid collection and takes walks in the countryside.

Although GDPR only applies to EU citizens, any company that holds data about those citizens is subject to the regulations.

"You could be an American company that sells into the EU, or you could be a company in India that processes data on behalf of a company in the European commission," Lofthouse said. "If you have data on a European citizen, you are subject to GDPR. So it massively affects U.S. companies doing business in Europe. If you are an American company selling to American citizens, that's fine; it won't affect you. But if you're an American company selling to European citizens, then, yes, it affects you."

Six steps to GDPR compliance

With the onus on companies that manage data on EU citizens to be prepared, Lofthouse offered a six-step plan to help data managers preparing for GDPR.

Find a point man. Organizations need to find and appoint a point person to lead the compliance team in preparing for GDPR regulations. Typically, that might be a senior privacy lead, data protection officer, or chief information security officer, according to Lofthouse.

Audit structured and unstructured data with an information steward. This rule applies to companies that need to know exactly what data they hold -- where it is, why they have it, why they use it and how long they're going to keep it. "Then there's Step 2B," Lofthouse added. "While you're doing a data audit, you might as well do an ... audit of user access control. Find out who's got access to what data, because that's your foundation for compliance."

Do a gap analysis. After doing a data audit, which essentially indicates where you're at, a gap analysis determines what you need to do in preparing for GDPR regulations. "It's not as if you have to throw out a big net to say where you are and where you need to move; you can actually go a bit deeper," Lofthouse detailed. "You need to move over there, and, specifically, you need to do this to this process or that to that process, so you can take your gap analysis down to quite a detailed level. You can prioritize the next steps based on the gap analysis, and if you find in the processes quite a large gap between where everything should be, you can prioritize that."

Manage the risk. You can use a data lifecycle management system, such as SAP Information Lifecycle Management, to archive all the data you have identified in the three previous steps. "You can then start to identify the high-risk processes from the gap analysis," Lofthouse noted, "and figure out what process may be a high risk to individuals and start to put into place what factors can lower that risk."

Start to organize internally. Once data is archived, you should implement retention policies using an information lifecycle management system. That allows you to develop some nuanced retention policies based on the type of data; for example, you might keep some data for just three years, but then again, you might need to keep some for 75 years. "Then you're going to tweak your access control and access policies to ensure that only the right people have access to the data," Lofthouse said.

Build a data protection portal. An important part of preparing for GDPR regulations is building a portal with a user experience (UX) package, such as SAP's Fiori, on top of a cloud platform. "You connect that into your system with the [UX] tiles," Lofthouse explained, "so the data protection officer has a desktop view of things like how many subject access requests have they had, how fast those are processed, how many impact assessments have been done, how many are being done. You're going to put in your various controls for process control so that you can monitor these various processes and can prove compliance."