Much is being said and written about GDPR, the General Data Protection Regulation, which will go into effect in our near future – May 2018. As a reminder, GDPR is the stringent Data Protection Regulation put forth by the European Union Parliament in the aims of better protecting its citizens. Although it originated in the EU it will have reach far outside – including to companies like my own, BMC Software.
As an executive leading our mainframe business, I not only need to help our products be ready to assist our customers with GDPR, I must aid my own organization to do so as well. To that end, I’ve tried to distill how to think about the requirements of meeting GDPR into simple terms. Hence the 3 P’s – Prepare, Plan, and Perform.
- Prepare – Learn, read, review, and begin to understand the requirements; learn where you have gaps, and where you are OK. Many organizations are unsure of how GDPR impacts them and are uncomfortable with the lack of clarity. Any personal data you have from an EU citizen is subject to this regulation. That means all EU customer data (marketing, transactional, etc.), on all platforms. There are 8 major sections of GDPR, so it’s important to really prepare. Current tools and processes will leave most organizations “out of compliance” and hard pressed to prove that they are “state of the art” or working to include “privacy by design”.
Don’t let yourselves be one of the 54% who haven’t done anything to prepare.
- Plan – This differentiates from preparation as you are acting here. Planning your attack strategy – evaluating new software, evaluating your own systems, what you have and what you need. Planning the resources that you’ll need – from processes and products that can help you, to personnel that you might need to train, cross-train, or onboard. This may include finding a person to take on the role of Data Protection Officer within your organization.
- Perform – Here is where you will get into the meat of performing the new or augmented procedures that GDPR is asking for. Performing additional data privacy & protection steps, ensuring your systems of record and data are portable and delete-able, ensuring that the data processing your business relies on is safe and recoverable – all to the level of passing an audit. This is where the rubber hits the road and it must be repeatable and provable.
I’m sure that there are many more applicable P’s – Protection, Privacy, Purpose, etc. – but we’ll stick with these three for now. Most organizations are still in the Prepare phase working to understand how GDPR will affect them and what steps will be necessary to make changes or prove that they won’t need to change. Your own data protection procedures might even be more stringent than GDPR, but you will need to check. As recent events show us, you won’t want to be included in a negative example of what not to do, like Equifax or Experian. These cases point out why good procedures, like those required by GDPR, can be so important.
To confidently build a strong GDPR posture, organizations must dig in, grapple with GDPR, move through the 3 P’s and start. There is no time like the present. May 2018 will be too late.
I hope that this helps you get started and thinking about how you can ensure compliance with GDPR. BMC has robust Recovery Solutions for both the Db2 and IMS platforms that will enable customers to meet GDPR requirements. In fact, BMC has Backup and Recovery solutions for DB2 zOS, LUW and Informix, IMS, Oracle, SQL Server, SAP Sybase.
For more information on how BMC is supporting our clients and their journey to GDPR preparedness, please see