Home > Data Governance

A Roadmap for Managing Data for European Businesses

European companies are at the forefront of many of the trends driving the digital revolution – e-commerce, cloud, mobile, internet of things and so on. But they operate in some of the most highly regulated markets, with some of the world’s tightest laws around data protection.

Furthermore, new EU rules are being introduced around data protection and the governance of data that is transferred out of the continent. So how can IT leaders tackle the challenges of managing data in the hugely competitive European business environment?

Well-governed data
Well-governed, clean and identifiable data is essential for European businesses as compliance and data protection issues climb the corporate agenda due to increasing regulation for industry sectors.

However, many European firms are unprepared as data volumes grow unchecked, meaning they risk being hit by a “databerg”, with unseen dark data lurking below the surface, according to research by information management company Veritas.

In April 2016, the new General Data Protection Regulation (GDPR) was adopted by the EU Parliament which will reinforce and unify data protection for EU citizens as it replaces the previous directive.

Key changes introduced by GDPR include more rigorous requirements for obtaining consent for collecting personal data; the requirement to delete data not used for the purpose it was collected; notifying the EU government of data breaches within 72 hours of discovery; and the onus on firms handling large amounts of sensitive consumer data to appoint a data protection officer.

Boardrooms need to sit up and take notice because failure to be compliant can result in fines of up to €20m or 4% of global revenue.

Europe is also redefining transatlantic data flow with the EU-US Privacy Shield set to replace the Safe Harbour framework, offering more stringent data protection for citizens and requiring that European businesses know what personal information is stored where in the cloud to ensure privacy rights are not violated.

Again there are financial penalties for non-compliance as citizens can sue. These strengthened data safeguards mean European businesses and their cloud providers are obliged to uphold compliance standards as data sovereignty and transparency become essential to good practice and remaining competitive.

Meanwhile businesses must continue to ensure they follow strict industry compliance rules - for example, PCI-DSS ensuring credit card data security in the retail sector; and regulations ensuring the financial services industry is run with integrity.

Unfortunately, as Toby Stevens, director of Enterprise Privacy Group, and a fellow of BCS - the Chartered Institute of IT, points out, few organisations maintain a comprehensive record of both their information systems and the data they process.

“This is for the very good reason that it’s extremely difficult to track. For most, their processing environment is something that has evolved over time, and they’ve not mapped it as it has grown,” says Stevens.

If a European company is unable to identify the value, cost and risk of its data, it is in a vulnerable position from both a competitive and a compliance stance.

   

Dark data dangers
Veritas research reveals that many European businesses are on a collision course with a “databerg” because they cannot see and therefore manage the essential components of business critical data, obsolete data and the biggest threat of all – unseen dark data below the corporate waterline.

It is this dark data - constituting over half (54%) of all company information - that contains a mixture of redundant, business critical and potentially non-compliant data, that poses the biggest risk to organisations because it is completely hidden.

In fact, the UK is the second worst offender in harbouring dark data with 59% of businesses’ stored data defined as dark, only behind Germany (66%), according to Veritas’s Databerg Report: See What Others Don’t, which interviewed 1,475 respondents in 14 countries to uncover how organisations across Europe, Middle East and Africa store and manage their data and the inherent risks of not meeting the growing challenge.

For the average European business, only 14% of the databerg is made up of critical data that is essential to the smooth running of the business, while storage costs are eaten up by redundant, obsolete and trivial (ROT) data, which constitutes nearly a third (32%) of organisational data.

Stevens says mapping company data is more important than ever because of cloud technologies which have revolutionised how organisations manage, access and treat data.

“This has become a particularly pressing issue in recent years as cloud computing has broken down organisational boundaries to the point that few organisations could tell you with absolute certainty what data they have or where it is physically located. In such a situation the organisation has no clear understanding of its risk exposure, and therefore no way to determine whether controls are appropriate,” he says.

If organisations actively aim to protect their critical data, securely delete their ROT data and work out what is critical and what is ROT by shining the light on their dark data, they stand to improve competitiveness; reduce storage costs; improve compliance and minimise risk.

Missed opportunities
The Veritas research highlights the need to eliminate costs of ROT data which are predicted to reach $891bn of avoidable storage and management costs by 2020 - and this figure does not account for the opportunity cost of wasted resource and management time which could have been invested in innovation and other growth activities.

Stevens recommends that organisations maintain robust controls over contracting processes, and to check suitability of data processing partners.

He also recommends that employees’ use of cloud services is carefully enforced to prevent accidental data leaks such as uploading company data to services such as Dropbox or Google.

“Given the introduction of GDPR which shifts liabilities back towards data controllers should something go wrong, and the ongoing uncertainty over the EU-US Privacy Shield, a responsible organisation should be reviewing its contractual position now, and renegotiating with partners where necessary,” says Stevens.

Organisations need to improve visibility; take action; reduce risk and regain control, which requires a cultural transformation towards the company’s data.

The prevailing attitude towards data revolves around strategy and budgets based solely on data volumes, not business value; the perception that cloud applications are somehow “free” with a dump-as-much-data-as-you-like attitude; and employees’ mistaken belief that corporate IT resources are free both for corporate and personal use.

Changing these false perceptions is a key step towards getting to grips with data and ensuring organisations harness the power of their information.

Advertisement

CIO
Security
Networking
Data Center
Data Management
Close