As anyone doing business in Europe probably knows, the European Parliament adopted the General Data Protection Regulation (GDPR) just over a year ago in the Spring of 2016. The GDPR requires any company doing business in Europe to comply with strict new rules around protecting customer data. This has already introduced cause for concern among corporate security teams, as the GDPR takes a broad view of what constitutes personally identifiable information (PII). Companies will essentially need to provide the same level of protection for things like an individual’s IP address or cookie data as they do for name, address, and Social Security number.
The penalties for non-compliance allowed by the GDPR are steep: up to €20 million or 4 percent of global annual revenue, whichever is higher. As such, companies are finding that it makes both legal and financial sense to invest in compliance, in some cases heavily.
Consider U.S. based companies operating in Europe, according to a PwC survey, 68 percent of these companies expect to spend between $1 million and $10 million to meet GDPR requirements by the Spring 2018 deadline. Another 9 percent expect to spend more than $10 million.
These investments will fund a cascade of activities, starting in most cases with the appointment of Data Protection Officers (DPOs) that will create data protection plans that will drive risk assessments, which will result in the implementation of measures for risk mitigation. Once all of these changes are in place, companies will have to test their incident response plans to make sure they can report breaches within the 72 hours required by GDPR. How well the response teams perform and minimize damage will directly affect the company’s risk of fines for a breach. Processes for ongoing assessment must also be set up in order to remain in compliance, which will require monitoring and continuous improvement.
Underlying these compliance transformations is the core question of how companies will determine whether unprotected customer data exists or not. Enter cognitive search & analytics (CS&A), a technology that can enable transparency into a company’s digital landscape in order to answer this question on an ongoing basis. A CS&A platform can analyze enterprise information and take a rules-based and/or a machine learning-based approach to identifying what constitutes customer data and where it exists across disparate applications and content repositories. Such automated analysis effectively exposes compliance violations to prevent potentially expensive non-compliance penalties.
Companies looking to automate data discovery and ongoing assessment of their digital landscape would do well to invest in cognitive search & analytics technology. Not only are these solutions sophisticated and flexible to expose potential violations across a wide variety of enterprise sources, but they are much more cost effective than trying to consolidate and centralize data physically, which is not only significantly more expensive but also error prone and very time consuming. As progressive companies analyze the return on investment of the various options, they are increasingly pursuing cognitive search & analytics as the faster, cheaper and less risky route to avoiding penalties and, more importantly, keeping their customer data safe and protected.