Big data is no longer a buzzword. It is has become central to how organisations function. Both public and private sector entities are seeking to unlock the potential of the data they hold and continue to capture.
Simultaneously, there is rising concern over data management. Increasingly stringent regulations are being passed for handling of personal data and privacy protection. The foremost example is the EU General Data Protection Regulation (GDPR), which is coming into effect on May 25, 2018. The situation is further complicated by the shift to cloud environments.
The risks of non-compliance have risen enormously. The stakes go way beyond financial penalties or losses, extending to reputation and customer/ citizen trust.
OpenGov spoke to Praveen Kumar, APAC General Manager, ASG Technologies to learn more about how enterprises can continue to derive value from data, while minimising the risks and complying with regulations.
What are the biggest trends in management and governance of personal data today, while storing, processing and transferring data within and between organisations? Could you tell us about developments and challenges in both the private and public sector?
The conflicting demands for more and faster data-driven business value and reduced data-driven business risk are the biggest issues for enterprises today. Across the APAC region, enterprises are rapidly adopting new technology such as cloud, without a clear view of where their data is hosted.
At the same time enterprises are increasingly faced with regulations that require them to implement a comprehensive data governance policy. The upcoming EU General Data Protection Regulation (GDPR) is one such example. As such, APAC companies are challenged to balance between ensuring they get the insights and analysis from the data they create, store, analyse while still managing and safeguarding that data.
This is where ASG comes in – our technology discovers and maps data and analyses data lineage, providing a key foundation for GDPR compliance.
GDPR has been called probably the most important piece of privacy regulation in 20 years or more. What in your view are the biggest changes going to be brought about by the GDPR?
GDPR introduces new rights for individuals, and new responsibilities for data processors. GDPR enhances the rights of individuals especially around the right to be forgotten. It governs data portability, data profiling, and the use of personal data in automated decision making. It increases the obligations on data processors to implement and maintain both conditional and technical measures to protect personal data.
And it introduces the concept of privacy by design, which requires each new service or business process that makes use of personal data to take protection of the data into consideration.
This new complexity will require robust data governance. Firms need to understand where personal data is held, and how it flows between applications and processes. For example, GDPR’s notification provisions require data controllers to inform data subjects how their data is being processed in a fair and transparent manner, and give the individual the right to withdraw data if they wish. This translates into a broad accountability requirement for enterprises to keep records of how they process personal data and how they protect it.
How are organisations outside of the EU affected by the GDPR?
The GDPR will have a global impact on all companies that process the Personally Identifiable Data (PID) of European citizens. Whether businesses reside in the EU or not, local and regional companies that deal with EU consumers or employees will have to comply or risk running into hefty fines. This is particularly impactful for Singapore, as it is the EU's largest commercial partner in ASEAN, accounting for slightly under one-third of EU-ASEAN trade in goods and services.
GDPR is also part of a trend towards the globalisation of data regulation, in the same vein as Anti Money Laundering and know Your Customer regulation.
Today a business might be incorporated in one country, with customers in another country and cloud providers in a third country. How do you see organisations in Asia-Pacific dealing with the challenge of complying with regulations and data lineage guidelines from multiple jurisdictions?
Being GDPR compliant will naturally help companies stay compliant with local data regulations, as it helps businesses stay on top of their data hygiene habits. Most jurisdictions in Asia have already enacted data protection laws that provisionally allow personal data to be collected, stored and transferred where an individual has given consent.
The additional step with the GDPR is the full scope and amount of data that a company has to handle. In this way, fulfilling GDPR regulations will help Asian enterprises to meet local requirements as well.
Small and medium business (SMBs) also need to be more vigilant, and due to the current competitive economic landscape, they will have a steeper hill to climb, especially if they are not on the road to being compliant.
However, there are steps SMBs can take to safeguard themselves. Adopting a more pragmatic approach – such as doing research on what it takes to be more transparent with their data – could be helpful for them in the long run. On top of this, accountability for their actions and the data they store will definitely be useful, especially if they are faced with a data subject request from the relevant authorities. Evidence of some action to address GDPR compliance may encourage regulators to be more lenient, whereas inaction will surely draw their wrath!
How can organisations, whether public or private, work towards becoming compliant in this increasingly complex regulatory environment? What are the risks if they fail to do so?
Complying with GDPR is grounded on a full understanding where personally identifiable data is sourced and how it is used. For example, companies must make sure that the data that they have is only used for the purposes specified when collected.
To achieve this, your organisation must map data and content estates, business processes, and data flows that involve PID. Regulations will require companies to demonstrate they know what data have been collected and how they are used.
Only then will you be, ready to begin protecting personal information. With a policy-based management of content, you can put processes in place for obtaining (and managing) consent for storing personal information.
With data mapping already taking place, you’ll know where the PID is stored and have the processes to apply policy-based retention procedures against data collected on individuals.
Once you’ve identified the processes, you’ll need to enact governance to manage the use and the quality of the PID. This includes reviewing new processing activities, assuring compliance, responding to people’s requests for information and action about their PID, responding to audits and setting internal standards within your organisation.
To ensure compliance across the board, reporting on governance is crucial. Create reports that provide a management view of PID usage. Within these reports, you can prove knowledge of what data is being processed and for what purpose.
The implications for businesses that fall under the remit of the GDPR are significant. Organisations which fail to comply will be subject to a fine of up to 4 percent of global turnover, or EUR 20 million, whichever is greater.
Can you tell us about how the current cybersecurity landscape is affecting data management?
Given the evolving threat landscape and wealth of new technologies introducing risk, the GDPR regulations are providing a new opportunity for CIOs and IT directors to build a data privacy and cybersecurity programme that will better position the company to deal with future threats.
As the GDPR has set a definitive price on cyber risk, secure data management is becoming a key priority for enterprises today. While cybersecurity and privacy management are not the same, they are closely related. Mapping the use of personal information provides key insight into how cybersecurity measures should be deployed.