GDPR compliance: Don’t forget about Personal and PII data in your non-production environments
With GDPR now in full effect, organizations and governments still have a lot of work and learning to do. In particular, many businesses are hard at work checking off all of the boxes for GDPR compliance with the complex, multi-faceted law.
Currently, we’re seeing the majority of organizations’ resources being invested into products that assist DPOs (Data Privacy Officers) or GDPR compliance teams, in an effort to better discover Personal and PII data, assess production systems, and implement new data regulation procedures across their customer-facing production systems.
However, in my experience of working with many organizations on their GDPR implementations, one area, in particular, is overlooked: PII data that is currently sitting in non-production environments. To become fully GDPR compliant, organizations must have a comprehensive understanding of their entire enterprise data landscape — this means not just external-facing environments and applications that collect PII data, but also the non-production systems such as legacy, development, test, and archive.
Common data platform
A common data platform (CDP) or unified framework stores all production and non-production data into a centralized repository, where full regulatory compliance and control can be effectively applied. Data managed by a CDP can then be analyzed and scanned to determine whether or not it is PII, and reports can be executed, ensuring that any GDPR requests are satisfied quickly in their entirety.
These frameworks are enabled with the help of technologies like Hadoop (also popularly coined “Big Data”), which are designed to store and process all types of data en masse across the whole organization, including databases, emails, documents, media, IoT, and more. Hadoop’s ability to store data “as is”, encrypt data at rest, and apply control provides an easy route to enforcing GDPR requirements within a secure and centralized location. Innovative search tools such as Elastic Search and SOLR enable access to data stored within the archive repository quickly.
Going beyond GDPR Compliance
Beyond GDPR compliance, adopting a modern enterprise archive and application retirement project can result in huge cost savings, and provides a foundation for information lifecycle management.
As organizations scramble to tick off all of their GDPR boxes, they must ensure to thoroughly examine all facets and areas, including business, IT, and C-level executives. With time and maturity, I am confident that organizations and governments will be able to work together to better protect their customer’s data by way of a common data platform or unified framework.