Survey Shows US CIOs Getting A GDPR Headache - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Leadership
02:00 PM
Marcin Grabinski, technical solution specialist, Compuware
Marcin Grabinski, technical solution specialist, Compuware

Survey Shows US CIOs Getting A GDPR Headache

US companies that don't have a presence in Europe still have to be sure that they comply with the EU's privacy laws regarding personally identifiable data.

The EU’s General Data Protection Regulation (GDPR) is now law, with full compliance mandated by May 2018. As the far-reaching impact of the GDPR sinks in, a recent Vanson Bourne survey of CIOs shows headaches ahead for many companies, including those based in the US.

That’s because any US company with European customers in its database must fully comply or face big fines. The survey, commissioned by Compuware, showed 52 percent of large U.S. companies have such personal information. Data management and compliance professionals need to mobilize now because, given the scope of the changes necessary, May 2018 isn’t really that far off.

There’s a lot of fine print in this law, but a major cause of concern involves how personally identifiable information (PII) is handled. The GDPR mandates that all companies must know exactly where every instance of someone’s personal information is located. However, 78 percent of CIOs surveyed admit it’s sometimes difficult to know exactly where all their customer data resides.

Simply finding this data doesn’t sound that challenging, right? However, the increasing complexity, quantity, and distributed nature of business data makes it very difficult to discover every instance of a customer’s personal information across the enterprise. Under the law organizations must not only comply when a customer invokes his or her “right to be forgotten” (asking for personal data to be deleted), but they must also be able to demonstrate that they can comply. This will require organizations to shine a light on systems like mainframes, which continue to hold vast amounts of enterprise data.

Another major challenge involves limits on the use of personal customer data for a variety of business purposes. For example, the GDPR requires organizations to secure the explicit consent of customers to use personal data for purposes other than the service for which the customer has agreed. Eighty percent of survey respondents indicated they either don’t ask explicitly or aren’t sure if they ask customers for this consent. This alone will make them non-compliant.

This consent mandate creates a new hurdle for companies that conduct application testing using real production data. Such testing is widespread and offers significant benefits, including gaining the most realistic sense of how an application will "behave" or perform in the real world. Eighty-three percent of US respondents in the Vanson Bourne survey noted they use real customer data in testing processes for this reason.

Marcin Grabinski
Marcin Grabinski

However, there's an alternative approach to securing consent, and that is masking, or anonymizing, personal data before it is sent to QA teams or outsourcers. Currently, fewer than 40 percent of companies queried do this prior to using the data for application testing or analysis.

Not only does this type of masking help ensure GDPR compliance, it also helps organizations minimize the likelihood of a sensitive data leak during the testing process. This is especially critical for the 83% of respondents who share customer data with external resources to support testing.

Anonymizing doesn’t mean disguising the data itself, rather making it reasonably difficult to identify individuals. This is known as “pseudonymisation,” where it’s fine to use real customer names from the production database, as long as they are not linked to home addresses, date of birth, passport, license number, or any other identifying information.

Other hurdles in the law include the hiring of a data protection officer, though it’s not clear whether this can be an existing staffer with other responsibilities. Then there’s the cumbersome requirement to include new obligations in contracts with outside data processors, who will have some mandates of the GDPR passed along to them.

GDPR will require major changes in the way customer data is handled and used, and many US firms need to take note. While it may seem like there’s much work ahead, a silver lining of GDPR is that in the long run, it will help organizations become better stewards of their customers’ sensitive data, avoiding unnecessary mishaps and engendering trust.

Marcin Grabinski is a technical solution specialist for Compuware.

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
CIOs Face Decisions on Remote Work for Post-Pandemic Future
Joao-Pierre S. Ruth, Senior Writer,  2/19/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
CRM Trends 2021: How the Pandemic Altered Customer Behavior Forever
Jessica Davis, Senior Editor, Enterprise Apps,  2/18/2021
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll