GDPR and Mainframe 101: A Handy Compliance Guide for 2019
GDPR, the European Union’s General Data Protection Regulation, went into effect on May 25, 2018. Contrary to some expectations, since that time few companies have had to deal with problems related to compliance. Although some large enterprises such as Google and Facebook were immediately targeted for alleged violations, most businesses have yet to face any GDPR enforcement actions.
But that’s no reason for complacency. Raegan MacDonald, head of EU Public Policy at Mozilla, assesses the situation this way:
“We haven’t seen the big fines levied just yet. But I suspect that if 2018 is the year of implementation, 2019 will be the year of enforcement… Starting in 2019, I expect this ‘grace period’ to end, where companies will either shape up or face serious fines by regulators.”
Even if your company has no physical presence in EU countries, if you have customers or users there, you need to be ready for the day when the informal GDPR grace period inevitably — and perhaps suddenly — ends. In this article we’ll do a quick review of some of the major issues you must address if your company is to achieve GDPR compliance in 2019.
7 Key GDPR Requirements
- Data Security and Privacy: These are such high priorities for the GDPR that they are the subject of the only two specific technical mandates in the regulation – encryption and pseudonymization (a process of data masking in which personally identifiable information is replaced with pseudonyms). Mainframes are particularly capable in these areas. The IBM z14 series offers pervasive encryption of all data both at rest and in flight. And IBM’s InfoSphere Optim Data Privacy provides extensive data masking capabilities.
- Affirmative Consent: Individuals must affirmatively consent to a company storing or processing their personal information. Pre-checked opt-in boxes are specifically not allowed.
- Control of Personal Information: GDPR gives people the right to know and exercise control over any of their personally identifiable information (PII) in your systems. If they request its deletion, all such records, whether in production, backup, or test systems, must be purged promptly. Individuals also have the right to correct any misinformation in their PII records, and to have their data transmitted, without charge, to another company.
- Purging of Unneeded Data: Companies should only keep PII for the time and for the purpose for which that individual gave consent. After that, it should be promptly discarded.
- Breach Notification: GDPR requires that all data breaches involving PII be reported to affected customers and the relevant governing body within 72 hours of discovery. This requires that you have processes in place to not only quickly detect breaches, but to also identify and track relevant records.
- Data Quality: GDPR mandates a high degree of data quality. For example, if your company shares inaccurate PII with another organization, GDPR requires that you notify the recipient of that fact. An important tool for achieving GDPR-compliant data quality is available through the recent integration of Syncsort’s Trillium Discovery with Collibra’s Data Governance Center.
- Data Protection Officers: If your company monitors the online behavior of individuals, or processes sensitive data such as health or criminal records, GDPR requires that you have a Data Protection Officer (DPO), who is a high-level executive charged with ensuring GDPR compliance.
Of course, there’s a lot more involved with becoming fully GDPR compliant than we’ve been able to cover in this article. If you’d like to learn more, please view our webcast on Data Quality-Driven GDPR: Compliance with Confidence.