It’s just over a year since the European Union’s General Data Protection Regulation became law. Forced into a new way of thinking about data, companies are still making the cultural shift from “Save it all and forget about it” to “What do we save, why are we saving it and where will it be secure?”

Procrastination caused chaos as the GDPR deadline loomed, with hastily implemented patches put in place at the last minute. This has opened an opportunity where those who took compliance seriously can step ahead and take advantage of the changing data-security landscape, while those who didn’t are still patching security holes.

“2019 and probably the next 12 to 18 months will be about scaling and operationalizing GDPR and moving from that minimum viable compliance,” said Archana Venkatraman (pictured), research manager for European datacenter research at IDC Research Inc.

Venkatraman spoke with Dave Vellante, host of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during the Actifio Data Driven event in Boston. They discussed GDPR a year on and how data security is changing how companies do business (see the full interview with transcript here). (* Disclosure below.)

This week, theCUBE spotlights Archana Venkatraman in its Women in Tech feature.

Getting in line with GDPR

A career in information-technology journalism gave Venkatraman the foundation for a move into industry research with IDC. Her base is the IDC offices in London, where she creates research articles as a member of the European Data Protection and Storage Research team.

“I cover the Western European markets where data protection is almost of a neurotic interest to us,” Venkatraman stated. She also works with IDC’s multicloud infrastructure and DevOps practice research teams, sharing her data perspective on these trends, and she is a regular keynote speaker at technology industry events, such as the Actifio Data Driven conference.

This deep focus makes her an expert on the impact of GDPR. A set of data privacy regulations that sent shockwaves out from its European ruling to affect business operations around the globe, GDPR was adopted by the European Parliament a little over two years before it went into effect on May 24, 2018.

Getting in line with GDPR regulation is smart business sense in an economy where data is an increasingly important resource. Not to mention the potential costs of data breaches, loss of customer trust and fines for noncompliance.

Some of the first companies to become GDPR compliant were those that it affected the most, the huge data-centric companies known as hyperscalers. “GDPR posed a lot of existential threat to a lot of companies like, say, hyperscalers or SaaS vendors,” Venkatraman stated.

The hyperscalers preemptive action was motivated by fear that consumers would lose trust in cloud if they saw it as insecure. But it turned out the fears were unfounded. Post-GDPR research showed that “42% of organizations were still going ahead with their cloud strategies as is, but it’s just that they were going to be a lot more cautious,” Venkatraman said.

While the likes of Google, Facebook and Microsoft saw potential risks in non-GDPR compliance, many other companies that handled personal data did not. “There were a lot of naysayers,” Venkatraman said. “They thought this is not going to happen, the regulators don’t have enough resources to actually go after all of these data breaches, and it’s just too complicated. Not everyone’s going to comply.”

These are the companies that scrambled to meet basic requirements at the last minute and who are still playing catch-up. One company feeling big-time consequences from GDPR is British Airways, which now faces a record GDPR fine (£183 million) after a data breach that took place last September.

Other businesses, such as British global financial corporation Barclays PLC, are using their compliance as proof of corporate social responsibility and creating brand trust for customers. ”[Barclays says] … ‘Hey, our business is important to us, but your privacy and your data is much more valuable to us,’” Venkatraman said.

In fact, Barclays is so knowledgeable about GDPR that it is reaching out to help other companies reach full compliance, according to Venkatraman. “They actually sell those kind of GDPR consultancy services because they’re so good at it,” she said.

As a cautionary tale on excessive data hoarding, Venkatraman described one Danish public sector employee who returned from a GDPR workshop and asked his employer to “forget” him, under the act’s “right to erasure” article. “It took that organization about 14 employees and three months to forget one person,” she said.

Delays are caused by manual processes and potentially having to sift through back-up snapshots buried in tape storage to retrieve and delete specific data. “If you don’t cleanse up your data act now, meeting with all these ‘right to be forgotten’ and all these specific clauses within GDPR is going to be too difficult. And it’s going to just eat up your business time,” Venkatraman warned.

A guide to attacking the GDPR dragon

GDPR is “a dragon of a regulation,” Venkatraman stated. And complying with such a complicated beast requires a plan of attack. Step one is gaining data visibility — assessing and classifying data to determine what falls under the regulations and what doesn’t. “You don’t want to apply policies to all the data because there might be some garbage in there,” she said.

Step two is securing the data. This includes anonymizing it for analytics and applying safety policies both within the technology and within the culture of the organization. Then, the final step should be actually meeting the requirements of the 99 individual articles of the GDPR.

“There is a GDPR framework,” Venkatraman explained. “You start by classifying data. Then you apply specific policies to ensure you protect and back up the personal data. And then you go about meeting the specific requirements.”

GDPR has changed the data game, putting security and privacy on the front page, as well as on the boardroom agenda. IDC research has shown that data protection is a key influencer in IT investment decisions, with companies asking, “How do I become data driven without compromising on security and sovereignty and data locality?” Venkatraman said.  

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of Actifio Data Driven. (* Disclosure: TheCUBE is a paid media partner for Actifio Data Driven. Neither Actifio, the sponsor for theCUBE’s event coverage, nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE