In our data-driven era, companies and organisations are processing ever larger amounts of data. If this data falls into the wrong hands, is misused or gets inadvertently erased, it can seriously and negatively impact people’s lives. Examples include credit card information, health reports, legal documentation and the reams of personal details that are stored by many companies in ever increasing volumes.
Considering that the reported cases of data breaches and personal information leaks are on the rise, the EU is set to introduce new rules that will increase the protection of individuals and organisations in the modern era of digitalisation and digital threats. The forthcoming EU data regulation reforms, known as the General Data Protection Regulation (GDPR), directly address some of the issues stated above. Come May 25, expect stronger data protection thresholds, stricter regulation to address data protection, and significant fines for negligent companies that do not comply.
GDPR’s Impact In South East Asia
With this regulation emanating from the EU and applying to data stored about European citizens, the question can be raised, how does it affect companies in South East Asia? It turns out that there are numerous reasons why the GDPR is relevant in our part of the world.
For example, if you collect EU citizens' personal data, you might be subjected to the same requirements and penalties as EU-based companies. If you have European customers, they may refuse to work with you if you are not GDPR-compliant because they will be liable when you process data on their behalf. Even if you work with Asian companies that have European subsidiaries, it is possible they will insist that you become GDPR-complaint even if you only work with them in Asia. Their activities in this region will directly impact the adjudged GDPR compliance of their European-owned subsidiaries.
The GDPR not only brings in new rights for individuals but also stricter requirements for those who are collecting and processing personal data. Here are some of the essential principles that apply:
• Lawfulness and transparency: Personal data needs to be processed in accordance with the laws set by the GDPR. For the subjects of this data, processing needs to be transparent.
• Purpose limitation: Personal data must be legitimate and collected for specified reasons that are explicitly defined. The data may not be further processed for other purposes without consent from the data subject.
• Data minimisation: Personal data must commensurate with the purpose for which it has been collected. Companies should not hold data that is not relevant to purpose.
• Accuracy: Personal data must be accurate, and when it is legitimately retained for extended periods, it should also be kept updated. Where data is found to be inaccurate, reasonable steps must be taken to rectify or delete the inaccuracies.
• Storage limitation: Data should only be stored for a period for which the purpose requires. Data must be identifiable so that it can be located and removed when it is no longer needed.
• Integrity, confidentiality: The security of personal data must be safeguarded against any leaks, threats and breaches. These include unlawful processing, accidental loss or theft.
Why Data Management Is Key
A tangible first step towards GDPR compliance is to have solid data management practices in place. This good practice is often backed by data management solutions. Organisations that invest in data management solutions do so for multiple reasons, compliance to a regulator is not always the driver. Instead, driving storage efficiency, keeping data protected, recoverable and discoverable are all big drivers for data management solutions. As a result, the functions served by robust data management solutions also go a long way to helping companies meeting regulatory compliance such as that demanded by GDPR.
Commvault is a proven market leader in the data management space. The Commvault Data Platform, with its unique index and search functionalities, helps companies identify data when they need to find it. Its centralised search and analytics features, when deployed with other Commvault solutions, can address business problems such as risk and compliance by allowing organisations to:
• Identify information risks and limit exposure, particularly with personally identifiable information (PII), and other sensitive or business-critical data.
• Achieve smarter, automated regulatory compliance (including GDPR, HIPAA, FERPA, FINRA, etc.)
• Dramatically reduce internal eDiscovery collection workload for IT teams, and control legal review costs.
• Facilitate records management operations, identifying and moving information to record sets.
• Identify and prune redundant, outdated and trivial data to control storage costs.
• Automate content-aware data management.
• Accelerate cloud migration and control cloud costs over time.
• Gain self-service access to information (as appropriate) across the organisation.
• Provide the right information, to the right people across the organisation, at the right time.
• Support digital transformation efforts to help change the underlying business model with which the organisation competes in the market.
• Achieve near real-time monitoring of the information flowing throughout the organisation, creating alerts, notifications and automatically initiating new business processes.
Data management should be an integral part of a company’s GDPR readiness plan. At the same time, having overall good data management practices should be approached as a business enabler, not just as a compliance imperative. It is absolutely vital that organisations know what data they have, where their data resides, and the risks associated with it. By taking a comprehensive approach to data management, companies can gain a significant head start on the journey to becoming GDPR-compliant.