Survey Shows US CIOs Getting A GDPR Headache
US companies that don’t have a presence in Europe still have to be sure that they comply with the EU’s privacy laws regarding personally identifiable data.
The EU’s General Data Protection Regulation (GDPR) is now law, with full compliance mandated by May 2018. As the far-reaching impact of the GDPR sinks in, a recent Vanson Bourne survey of CIOs shows headaches ahead for many companies, including those based in the US.
That’s because any US company with European customers in its database must fully comply or face big fines. The survey, commissioned by Compuware, showed 52 percent of large U.S. companies have such personal information. Data management and compliance professionals need to mobilize now because, given the scope of the changes necessary, May 2018 isn’t really that far off.
There’s a lot of fine print in this law, but a major cause of concern involves how personally identifiable information (PII) is handled. The GDPR mandates that all companies must know exactly where every instance of someone’s personal information is located. However, 78 percent of CIOs surveyed admit it’s sometimes difficult to know exactly where all their customer data resides.
Simply finding this data doesn’t sound that challenging, right? However, the increasing complexity, quantity, and distributed nature of business data makes it very difficult to discover every instance of a customer’s personal information across the enterprise. Under the law organizations must not only comply when a customer invokes his or her “right to be forgotten” (asking for personal data to be deleted), but they must also be able to demonstrate that they can comply. This will require organizations to shine a light on systems like mainframes, which continue to hold vast amounts of enterprise data.
Another major challenge involves limits on the use of personal customer data for a variety of business purposes. For example, the GDPR requires organizations to secure the explicit consent of customers to use personal data for purposes other than the service for which the customer has agreed.
