GDPR report after one year

Data protection and privacy has always been important, but with the implementation of the European Union’s General Data Protection Regulation, companies are now thinking about it differently and are more critical of how they secure their data - especially as it pertains to sensitive and Personally Identifiable Information (PII).

With the one-year anniversary of GDPR’s implementation quickly approaching, Quest Software’s John Pocknell reflects on the changes he’s seen organizations make over the past year, shares his top concerns around non-compliance, and offers advice on database management with GDPR.

ADM: Before GDPR went into effect last year, did you find that a lot of companies were scrambling to prepare and ultimately, we're not ready for its implementation?

Pocknell: I found a lot of companies were not properly ready for GDPR but in light of recent data breaches with companies such as Facebook, Marriott, and Twitter, I think it’s a wakeup call for organizations outside of the EU - particularly the US. A lot of companies need to address the issue at hand, and where they need to start is with a cultural change. Organizations are increasingly turning to database administrators, the CIO/CDO and even creating new titles to be accountable for maintaining and managing data privacy and access across their business.

ADM: What’s the biggest change you’ve seen in terms of the organizational structure due to GDPR in year one?

Pocknell: In the EU we’ve seen the creation of the Data Protection Officer (DPO) mandated under GDPR, who reports to the Chief Privacy Officer (CPO), to oversee strategy and policy to ensure regulations are met. The DPO’s role is specifically to provide independent counsel to the company to ensure it meets their data protection obligations. Having these kinds of roles in the organizational structure is critical in the era of data privacy regulations. I’ve also found that the role of the CFO is slightly changing, with CFOs finding themselves in a unique position due to the possible financial consequences of GDPR and other data privacy regulations. When it comes down to it, CFOs are responsible for putting the investment in new data protection strategies and balancing the risk of non-compliance fines.

ADM: Will the US implement the role, or one similar, of the EU’s Data Protection Officer?

Pocknell: As organizations implement new data management practices, I think we will see US companies set up a sort of internal GDPR taskforce which will include roles and responsibilities. For US companies that have to adhere to GDPR, appointing a DPO definitely makes sense and for a multinational, it might make sense to have the DPO located in the EU where they are closer to GDPR regulators. The CIO and CDO will be charged with determining corporate strategy and policy to meet regulatory requirements, and the DBA will be responsible for implementing the defined strategy and policy, guided by the DPO. The DBA is likely to be on the front line of ensuring that data is protected, tasked with identifying personal and sensitive data and incorporating set practices to safeguard it all.

ADM: What are you most concerned about with GDPR?

Pocknell: What’s concerning for me is this unreadiness with a lot of companies which puts pressure on DBAs as to how they identify and protect data in the database. DBAs are responsible for the database and I’m not seeing a lot of evidence that DBAs are feeling comfortable on where their personal and sensitive data is. Being the person closest to an organization’s data, DBAs are likely to play a key role in ensuring compliance regulations are met. However, adhering to regulation requirements depends upon a company strategy initiative that incorporates new data management practices.

ADM: What advice do you have for companies when it comes to enabling DBA’s to effectively determine what data they have in their databases, and then protect it?

Pocknell: Companies need to ensure they are giving their DBAs the right tools. DBAs need to be able to figure out where sensitive and personal data is before they can start to protect it. To do this, companies need to provide DBAs with the solutions that offer visibility into the database, are configurable, and can be automated so DBAs are able to inventory data and figure out where it is.

ADM: Why exactly has GDPR created this renewed focus around database management?

Pocknell: When it comes to database management, there’s specifically renewed attention on database solutions that help organizations meet regulatory compliance. This focus has come about because of GDPR, but companies are also looking at their databases more critically now due to other similar regulations in the US such as HIPAA and PCI, along with new ones expected to come out next year such as the California Consumer Privacy Act. As companies implement regulation strategies to ensure they meet requirements across their environments, they are looking for the database management options that will enable their DBAs, developers and IT teams to quickly and reliably identify and protect sensitive data in their databases to help mitigate company risk against non-compliance. DBAs have the right skills and understanding of the data to make a real difference, and they can do so with the right tools.

ADM: GDPR report after one year: Do you think companies have matured in regards to their outlook of GDPR one year later?

Pocknell: It’s getting better, but there’s still a long way to go. Also, this isn’t Y2K - you don’t just fix the problem and that’s it. This will require ongoing vigilance to ensure companies continue to protect the individual’s right to have their personal data protected. Some interesting statistics I’ve found around maturity that raise concerns include:

• Less than half of US companies have set up an internal GDPR 
• taskforce.
• Only 18% of Fortune 500 companies have appointed a Data Protection Officer, which is a requirement of GDPR.
• Seventy percent of employees have access to data they should not.
• It’s estimated that the US and EU will require 28,000 DPOs.
   

ADM: Many are calling for a US version of GDPR - similar to the California Consumer Privacy Act 2018 (CCPA). What are your thoughts on this? Anything specific that the US should include that GDPR might be overlooking?

Pocknell: Too early to say since it isn’t due to come into force until Jan 1, 2020. Apparently, CCPA has been put together hastily according to some pundits, so it will remain to be seen after it’s actually been tested to see how successful it is at protecting data privacy. In the EU, there were 2 years for companies to plan for GDPR before it came into force.

ADM: Anything else you’d like to add?

Pocknell: When it comes to protecting data, organizations need to view it as a continuous operation. Data protection tends to be thought of as a one-time operation and something companies only need to do on their production databases. But data will continue to arrive from various sources, and will also exist inside lots of non-production databases and be moved to different locations, including the cloud. The job of protecting data is never done.

John Pocknell is a senior solutions product marketing manager at Quest Software. Based at the European headquarters in the U.K., John is responsible for developing and evangelizing solutions-based stories for Quest’s extensive portfolio of database products worldwide. He has been with Quest Software since 2000, working in database design, development and deployment. John has spent over 18 years (including 12 years in Product Management) successfully evangelizing Toad to customers at conferences and user groups around the world. He blogs and has produced many videos for Toad World, the Toad user community, and has authored technical papers about Toad on the Quest Software website.