Issue link: https://cp.revolio.com/i/964464
THE DATA CENTER JOURNAL | 11 www.datacenterjournal.com First and foremost, businesses must allocate the budget for a gover- nance initiative, in addition to securing buy-in and participation from every part of the organization. Regulations such as the GDPR have established that data protection and security are no longer the bailiwick of IT departments. Every part of the organization has a role to play. For instance, • Business managers need to iden- tify what data they use, where it lives and how they use it. • Data teams must establish protocols to secure personal data and design governance processes to sustain "privacy by design" beyond immediate deadlines. • IT needs to ensure the availabil- ity and resiliency of processing systems and services. • HR must hire additional re- sources to train employees in how to identify data flows as well as help communicate new poli- cies and procedures throughout the organization. With success depending on so many individuals, businesses should take the time to invest in employees, as few of us have existing GDPR expertise. Employees need to understand the different aspects of the GDPR, such as privacy by design, and how it will affect their roles. Once the resources are in place, organizations should look to under- stand how data moves across and beyond them—a critical aspect of the GDPR. Identifying and classifying data is the first step to making sure you can answer regulators' important questions. Doing so may involve asking every business unit to identify their activities across the organization and the data processes that support those activities. Questionnaires, business-process dis- covery sessions and process mapping are all crucial in creating a comprehen- sive inventory of data processes. RUSHING TO COMPLY? AVOID THESE PITFALLS e market has plenty of encryp- tion soware and services to help secure personal data. Encryption, however, is an IT-focused activity. It ad- dresses some data-protection issues but falls short of addressing the complete picture dictated by the GDPR, which requires a full understanding of how data is captured, transformed, held and destroyed across an organization. Preparing for the GDPR is the ideal time to finally deal with shadow systems, as well as systems and applica- tions that weren't created and aren't supported by IT. More than 80% of IT professionals say their organization has at least one shadow system. ese systems typically have fewer processes controlling who can access sensitive personal data, leaving an organization exposed. Take the time now to account for shadow systems and meet with us- ers across the business to understand what tools they use. Finally, don't fall into the trap of assuming too much risk. Many companies are put off by, or can't afford, the high cost of compliance. As such, they've adopted a "bare minimum" approach. In fact, industry analyst Ovum found more than half of global businesses believe they'll be fined as a result of the GDPR. It's important to remember that the costs of noncompli- ance are much higher than the cost of implementing the necessary technology and processes. e substantial fines and reputational damage from noncompli- ance could make recovery difficult for some businesses. GDPR is a massive regulation. Many organizations are struggling with how to begin dealing with its 99 articles. Develop a flexible data strategy that looks well beyond meeting the immediate demands of regulators. Data governance can be the foundation of a long-term data strategy, allowing organizations to become more efficient with their data and to truly become data-driven cultures. n About the Author: Olivier Van Hoof is a manager at Collibra. During his career, Olivier has led a variety of large-scale projects in the financial-services industry at Bank of New York, ABN Amro and HSBC, among others, with a focus on regulatory reporting, stress testing, asset management, compliance and data governance. The market has plenty of encryption software and services to help secure personal data. Encryption, however, is an IT-focused activity. It addresses some data-protection issues but falls short of addressing the complete picture dictated by the GDPR, which requires a full understanding of how data is captured, transformed, held and destroyed across an organization.