April 25th, 2018

As we noted in our first post about the European Union’s update to its 1995 Data Protection Directive — the General Data Protection Regulation (GDPR) — many CIOs in the United States are expecting to spend a million dollars or more to comply with GDPR. [1]

It’s hard to quibble with that kind of money, but millions of dollars won’t be enough — unless they’re spent wisely. And that means CIOs need a plan.

A scattershot approach will not help companies properly address GDPR, says Brett Hansen, vice president of client software and general manager of data security at Dell. He adds that GDPR compliance cannot be achieved using software alone. [2]

“I’m a technology vendor, so this is going to sound weird coming from me, but my first recommendation is to not immediately go and buy my cool software,” Hansen says. “Instead, my advice is to evaluate your environment, understand your risk and then set a strategy. That strategy cannot be created in a vacuum.”

Preparing for the GDPR: The Big Six

Dell Technologies has identified six high-risk obligations that organizations must likely meet as they address the challenges of GDPR compliance.

1. Record Keeping. Record keeping requires organizations to maintain records of their processing activities (which extend to any vendor they engage) as well as documenting the data protection risk assessment they have undertaken.

2. Accountability Principle. The accountability principle means organizations must demonstrate they comply with the GDPR data protection principles.

3. Data Retention. Data retention is key to ensuring fair processing. The idea is that personal data should not be retained for longer than necessary in relation to the purposes for which they were collected or for which they will be further processed.

4. Data Minimization. Organizations should only collect and use data in a manner that is consistent with a legitimate business purpose and with the notice and choice provided to the data subject.

5. Data Security and Incident Management. Data security and incident management require organizations to have appropriate technical and organizational security controls and procedures in place to secure an individual’s personal data being processed and to notify individuals and/or an EU supervisory authority in the event of a data breach.

6. Data Subject Rights. Grant individuals the right to access, correct or erase their personal data upon request. An organization must respond to the individual’s request within one month.

Dell Boomi, as one of the Dell Technologies group of companies, has used this framework to assess how its unified platform can assist organizations as they prepare for the GDPR. In the next blog, we’ll look in detail at how Dell Boomi with its Master Data Hub can help organizations address three of these six obligations: record keeping, accountability and data retention.

This was part two of a four-part series that examines the data management implications of GDPR. Check out part one, “Application and Data Integration Can Help Organizations Better Respond to GDPR Challenges.” In part three, we’ll learn more about the capabilities of Boomi Master Data Hub and how it can help organizations meet some of the major demands of high-risk GDPR obligations.

[learn_more caption=”Footnotes”] [1] “Pulse Survey: US Companies ramping up General Data Protection Regulation (GDPR) budgets;” PwC, GDPR Series, 2017; https://www.pwc.com/us/en/increasing-it effectiveness/publications/assets/pwc-gdpr-series-pulse-survey.pdf [2] “Dell’s Brett Hansen outlines the road to GDPR compliance in the US,” Silicon Republic, Nov. 30, 2017; https://www.siliconrepublic.com/enterprise/brett-hansen-dell-gdpr[/learn_more]