Companies must pay more attention to data management before the GDPR

Whether multinational or SMB, all organisations must be aware of where ALL instances of personal data are stored in their infrastructure

Data management is one of the top concerns that IT leaders have about the upcoming General Data Protection Regulation, according to a research whitepaper published by Computing.

The ability to track and, if necessary, delete personal data is key to GDPR compliance, which enshrines the right to be forgotten into EU law - and that law (or equivalent) will also affect British businesses. However, with the GDPR's fuzzy definition of personal data, keeping track of it all can seem like a mammoth undertaking.

Firms routinely copy and move data around inside their network, or, now, in the cloud. There are many reasons for doing so: archives and backups, or testing without compromising 'live' data. This data sprawl effect may cause real problems come next May, though.

Tracking and identifying data was named as a serious challenge for IT leaders in our research, with only 15 per cent saying that they were confident of being able to locate every copy of a particular piece of data. Only one per cent said that they were not at all confident, leaving the majority spread between these two extremes - and all likely to struggle somewhat when it comes to this aspect of GDPR compliance.

The results echoed those from one of Computing's free IT leaders' events in May, where no attendees told us that they were comfortable with the level of data discovery that their organisations had.

We also asked respondents about their approach to copy data management (CDM) and their use of tools to support this function, such as those from IBM. Only three per cent have a specialist CDM system in place; until asked, 17 per cent didn't think that CDM was a GDPR issue. 33 per cent knew that they should be doing something about it, but hadn't. 27 per cent at least had a mix of manual and automated processes, but - given the GDPR's data management needs - these are unlikely to provide full compliance.

Multi-layered protection

We have heard IT leaders express the hope, again and again, that they can mitigate any fines that are levelled at them by demonstrating that they have taken steps to be compliant. However, with cyber criminals often focused on stealing such data, it is clear that these fines will affect businesses at some point. Encryption has become very much a necessity, perhaps even at both the application level, where data is collected, and at the hardware level, where it is stored. Only 18 per cent of companies told us that they applied encryption on two layers.

The level of GDPR preparedness among companies varies enormously, with less than a year to go before the regulation comes into full effect. Some have moved a good way towards compliance, while others have clearly failed to give the matter the thought that it requires.

For those still working towards compliance, a clear strategy must be forged to manage the collection, storage and protection of personal data - and an awareness of what personal data is defined as under the GDPR. CDM and other data management systems, like backup and archiving, should be areas of particular concern.