Podcast: Storage and compliance priorities in 2019

In 2019, the General Data Protection Regulation (GDPR) will continue to be high on the data storage and compliance agenda, while a US version, the California Consumer Privacy Act, is on its way.

We talk to Mathieu Gorge, CEO of Vigitrust, about key compliance issues that are on the horizon in 2019 and what organisations can do to ensure they are on the right side of the regulatory environment.

Antony Adshead: What changes can we look forward to in storage and compliance in 2019?

Mathieu Gorge: Well, first of all I think we need to understand that there’s going to be yet another data explosion with regard to the amount of data that individuals and organisations create in their daily business and daily routines.

If you look at the advance of connected devices and IoT [internet of things] devices and also the roll-outs of AI [artificial intelligence]-based solutions, we are creating more and more data at a very rapid pace. And so we need to be prepared for the creation of even more data than in the last few years.

The second thing is that if you look at GDPR, we can expect the first fines with regard to data protection, which is clearly linked to compliance and storage. We’ve already seen some fines in Germany, Austria and France. Some of them are already being challenged, but the underlying message here for 2019 is that you need to know what you’re doing with your data, therefore you need to know how you store the data, acquire the data and how you deal with the data from a technical and process perspective. So you need to take that into account.

We also need to look at what’s going to happen in Ireland with regard to GDPR because of all the US organisations, like Facebook and Google, that are based in Dublin and are being clearly monitored for what they are doing with data, how they store data, how they deal with data subjects’ requests and also with data breaches.

Finally, we ought to look at the California Consumer Privacy Act of 2018, which is coming into effect on 1 January 2020. This is like the California/US version of GDPR, which is dealing with the rights of consumers with regard to their data and access to it. Over the next 12 months, a number of organisations are going to look at how they get into compliance from the point of acquiring or creating the data, storing the data and making sure they’re in compliance. So this is one to watch in 2019.

Adshead: What should we do to address these changes in storage and compliance in 2019?

Gorge: As always, I would recommend that organisations map their data. What type of data do they acquire, do they create data, look at structured or unstructured data and then map all that data to the regulations that apply to them.

Once you have done that, you can decide who the data custodians are within your organisation. You also need to map out who might need to, or want to, get access to that data from a third party and how you can do that securely and in a compliant manner.

If you are subject to GDPR, you also need to appoint a data protection officer in most cases, and even if you’re not, you should make sure your chief compliance officers or chief legal officers or CSOs are looking at the data and have a plan to deal with any data subject request or data breach.

I’d also recommend that you look at integrated risk management solutions that allow you to take a dataset and the data flow and apply some risk measurement process to how they deal with the data, so they can map out the legal and operational and technical measures that they have taken to protect the data.

Training is obviously something that is a quick win. You can easily get training on GDPR and the California Consumer Privacy Act, and cyber security.

But you should also look at some new technology that can help you manage your data and map your data. So, there are some very good discovery tools for data, like Ground Labs, for instance. On the training side, you can of course look at Vigitrust. Then on the blockchain-based side, you should look out for any type of data vault organisation or solution. There are a few of them coming out in 2019.

So, from the technical perspective, there is going to be a choice of solutions, but to choose the right solution for your organisation, you need to map out your ecosystem and understand the regulations that apply, so that you store the data the right way and you can demonstrate compliance at all times.