The cost of complying with the European Union’s General Data Protection Regulation might seem like something best deferred until it enters force in 2018 — but working on compliance just might boost profit, not reduce it.
The GDPR, the EU’s latest rewrite of its data privacy laws, doesn’t enter effect until May 25, 2018, but already IT companies are talking up their software and services for complying with the new rules.
It’s not just an issue for EU enterprises: Any company processing the personal information of EU citizens is affected.
What those companies can do with that information is more tightly controlled than before. Collection and processing of sensitive information is only allowed if the person concerned opts in, unless the information processing is necessary to fulfill a contract or to protect the person’s vital interests.
That contract fulfillment provision isn’t a catch-all, either: If someone wants to buy a pair of sunglasses online, you can’t insist that they tell you their shoe size, for example, before accepting their order. The data collection has to be necessary.
Businesses not only have to protect their customers’ data, they have an obligation to tell them if they slip up. Data breaches that pose a significant risk to those concerned must be disclosed within 72 hours.
The cost of not complying could be high: a fine of up to €20 million (US$22 million) or 4 percent of worldwide revenue, not to mention the resulting decline in customer confidence.
One of the GDPR’s requirements would be a sensible first step for many businesses even if it weren’t mandated: For companies to classify all the data they hold that falls under the new regulation.
That one step could be a money-maker, rather than a money pit, according to Joe Garber, Hewlett Packard Enterprise’s global vice president of marketing for information management and governance software.
“Once you get your data in order, once you get insight into your information, then you can mine that information for value, strategic information about what your customers really want.”
There’s also scope for cost savings on a number of fronts.
By moving their data into a central, searchable repository, businesses may find they can retire older applications. “We’ve had customers shutting down thousands of apps,” Garber said.
And in examining that data, they may find they’re better off not storing it at all. “Some percentage of that information won’t have value for the organization, and at $20 per gigabyte for its lifecycle, it has a cost.”
So is evaluating which information falls under the GDPR going to be a make-work project, as thousands of terminal operators repeatedly choose to “protect,” “ignore” or “delete” as they click through customer records and email files?
Well, no. To start with, it’s pretty obvious that a database of email or physical addresses, or credit card numbers, is going to be sensitive information, so much of that process can be automated.
“The big deal is unstructured information. It requires context,” Garber said.
HPE, like a number of other companies, already has software tools that can make this kind of assessment, looking out for clues in email or other records that indicate the presence of credit card or bank account numbers and the like.
On Thursday, HPE began explicitly packaging some of its existing tools as solutions to particular GDPR compliance tasks, a move that will simplify matters for worried customers — and perhaps bring HPE a little extra revenue in the run-up to 2018.
Its Personal Data Assessment tool will automatically identify information that falls under GDPR rules, while Secure Content Management will apply the appropriate policies to the data once assessed. It even has a Litigation Readiness and Response tool for dealing with investigations and lawsuits.
The portfolio is modular, leaving companies free to pick and choose whether to buy some elements elsewhere or to roll their own regulatory response.
Whoever businesses intend to hand the GDPR compliance tasks to, Garber thinks they should start right away.
“Many of these solutions will take some time to set up,” he said.
And with a potential €20 million fine riding on the outcome, “If they wait until 2018 to switch the technology on, it will be too late,” he said.