Organisations often underestimate the amount of customer or client data that they hold. This therefore means that they are underestimating the potential impact and reach of the new general data protection regulation (GDPR).
If organisations do not know what data they hold and where it is, the risk of non-compliance and subsequent penalty is substantial. This is because the new rules which come into force in May 2018 introduce a number of new stipulations and repercussions for firms that are not managing data adequately.
It is imperative that organisations are examining not only their primary source of customer and client data (for example customer relationship management systems and marketing systems), but all its sources in all forms.
Data can be generated or stored in the following places:
- current IT systems;
- portable media devices;
- mobile phones;
- mobile data storage ie USBs and external hard drives;
- network folders;
- spreadsheets (and other such static documentation);
- emails and archived inboxes;
- other external communications;
- social media postings;
- back-up tapes;
- secure drop boxes;
- web sites;
- decommissioned systems and IT hardware; and
- hard copy documents and archives.
This is a list of just some of the things that may need to be considered.
The implications of this are on a staggering scale when considering the size of organisations in some markets today and the volume of data storage they hold.
Where do you go from here to defend yourself against non-compliance?
As part of the readiness review that all firms should now be carrying out, there should be an audit of all data sources across the entire organisation so that reasonable steps can be taken to mitigate against risk.
Education of all staff will also be pivotal to continued compliance with these regulation developments. Responsibility for maintaining integrity of data cannot just sit with an IT department who maintain the systems that hold data, it must reach across all those departments that acquire, generate and use data.