GDPR One Year On: How Have Data Companies Fared?

For some, it was a time of concern and even panic. The European Union's GDPR was coming, and companies were given the clear message: Make sure you follow privacy protection rules, or you could end up like Google – which was about to be fined a record $5 billion for violating EU antitrust regulations. GDPR had teeth, and it was set to bite anyone who pushed it.

In early 2018, firms had copious amounts of data on people stored on long-forgotten servers and databases. Properly known as the General Data Protection Regulation, the rules require that companies that have data on individuals grant them the right to data portability or erasure. Companies are also required to hire a dedicated data officer, and to notify customers almost immediately if there is a breach that leads to a leak of their data. Violators could be fined €20 million ($22 million), or 4 percent annual global turnover – whichever is greater.

The regulations loomed especially large for data companies that relied on machine learning to gather data. They meant that these companies would need to be much more careful about their data collection, whereas many had previously engaged in massive, careless hoarding and sharing of data.

GDPR went into effect on May 25, 2018, so we've had more than a year to judge its impact. There's no doubt that the regulations have already had an impact on both consumers and businesses. In a nine-month summary of the effects of GDPR, the European Data Protection Board said that as of March, there were 206,326 complaints reported, with nearly 100,000 complaints relating to data privacy. GDPR supervisory agencies in 11 countries issued fines, totaling €55,955,871 (over $6.3 million).

EU watchdogs charged with ensuring the privacy of data have been working tirelessly to enforce the rules. Complaints – and fines – have spared few; among those found wanting under GDPR rules are large data companies, like Google and Facebook, but smaller outfits have not been spared. For example, a Norwegian municipality was fined €170,000 when local GDPR inspectors found a single file with login credentials for 35,000 students and employees, in a public storage area.

It should be noted that the EU has been “going easy” on companies, giving them time to get up to speed on compliance. A year in, a survey by the International Association of Privacy Professionals (IAPP) shows that more than half of companies are still not GDPR-compliant – despite the billions spent to achieve compliance – while 20 percent said they did not believe full compliance was even possible.

To reach the level of compliance expected of them, companies need to bring out the “big guns,” in this case, tools that will help them automatically track the data movement process and find what they need in order to comply. One of the biggest vulnerabilities for companies is metadata – the labels used to classify information in databases and data storage systems. Under GDPR, if a company wants to erase specific personal information about an individual, they must ensure it’s erased everywhere; no easy feat.

For instance, when deleting a user’s credit card number, companies will have to look into every report, database, database object, and ETL where the information is stored. This usually requires intensive, extensive manual data mapping from business intelligence teams.

Business Intelligence teams must examine data manually, and it is often impossible to know where to look within the organization’s BI environment. The process can take weeks or even months of manual data mapping, which is prone to human error and inaccuracies.

Machine learning systems to examine the data sources would be far more efficient, especially given the pressure to comply with GDPR. New systems for automatically sorting, scanning, and classifying data will need to be put in place to match the shift in attitude regarding user data that GDPR requires. As technology advances and more data becomes available about users on a daily basis, companies responsible for the handling of that data will play an increasingly pivotal role in terms of their reputation with customers and their legal standing. It is unrealistic to expect Business Intelligence teams to painstakingly seek out illegally stored data by hand, and have that be the basis of a company’s compliance. Implementation of systematic, automated data governance is long overdue.

GDPR is no longer “on the way.” It's here, and the enforcement and penalties that come with it are all too real. Companies that want to avoid those penalties need to get their data in order ASAP.

(Amnon Drori is the co-founder and CEO of Octopai)