GDPR Will Turn DBAs Into Superheroes
The world is awash with statistics about the General Data Protection Regulation (GDPR) and depending on who you believe, companies are either completely ready (this study says 72% of global businesses are confident of compliance) or there is still a large portion of companies who will not achieve compliance in time (Forrester suggests just under 25% of European firms are compliant). If your day job is looking after data, such statistics are probably leading to fatigue rather than helping, as you are perfectly aware of the implications for the personal data (PD) held by your organisation. It is difficult to estimate how much PD is stored on databases – I saw one estimate recently that suggested 70% - 80% of information on databases is PD – but for database administrators (DBAs) GDPR puts your role under the spotlight like never before. I have already highlighted the basic challenges that DBAs face, but I also believe this new regulation should be celebrated as a great opportunity to raise your profile and the role of the DBA.
Unlike Oracle’s Mark Hurd I don’t believe the growing complexity of the digital economy should mean all databases are automated at the expense of having experienced DBAs oversee data management strategies. On the contrary, the increasing importance of data suggests DBAs can play a much more central role in digital business strategies, thanks to GDPR. So, how will GDPR turn DBAs into superheroes?
Data has become essential to pretty much every organization as they deal with the challenges of digital transformation, but this is adding complexity. IDC and Seagate estimate there will be 163 zettabytes of data floating around in the digital business world by 2025. Even if organizations do believe they are compliant with GDPR, some research raises questions that existing strategies are papering over more serious issues around data governance. And this is the DBA’s opportunity to contribute significantly by treating GDPR not just as a regulatory requirement, but as the trigger for a much deeper examination of your company’s handling of data. Fundamentally, what GDPR really should be about is whether your organization has adopted good data governance policies and processes underpinned by the right culture. You should be challenging senior leaders to understand how their behavior affects good data governance and how changing the culture around data accountability will have far reaching benefits beyond GDPR compliance to building greater trust with customers and driving revenue opportunities.
So how do you test whether your organization is adopting good personal data management habits? There are three areas where DBAs can stress test the strengths and weaknesses of a company’s strategy to rescue the organization from the dangers within: data governance, data security, and data deduplications.
In the lead-up to the May 25th deadline there have been a lot of surveys examining the implications of GDPR. Most concerning is what they have revealed about good data governance practices. For example, one study by a law firm, Paul Hastings, highlighted that less than half (43%) of FTSE 350 and Fortune 500 companies have set up an internal GDPR task force and only 29% have actioned hiring a Data Protection Officer (DPO) - under article 37 of the regulations having an independent DPO is mandatory for certain situations. This could quite easily be an understandable confusion over the EU’s “legalese” or more worryingly be an institutionalized attitude towards the management of personal data. Dig deeper into the subject and there are signs that many organizations simply do not appreciate the importance of good data management. An international survey in December 2017 by Veritas Technologies suggested that 91% of respondents felt their companies lacked a culture of good data governance. A separate study by the Royal Mail in the UK said that nearly 23% of companies felt poor quality data was holding their businesses back. The point is that unless companies accept the importance and benefits of good data governance, not just for compliance but for the efficient operation of their businesses, they will struggle in the digital business era.
How large organizations deal with the security and protection of data is also very telling about their approach to data management. An article in the Harvard Business Review suggested that more than 70% of employees have access to information they should not, while another estimate calculated that 76% of all data breaches have been caused by the introduction of vulnerabilities by third parties. These are preventable vulnerabilities with a robust data management strategy, but because many organizations do not take a holistic approach to data security, such breaches happen time and again. If your company’s attitude to data protection is inherently flawed or even reckless, then it is very likely you will be one of the companies that regulators choose to make an example of.
The final telltale sign that your organization does not recognize the importance of data is if your peers do not understand GDPR is a compelling opportunity for a data spring cleaning. Large companies store far too much data, which often leads to redundancy that affects the accuracy of records. The same report in the Harvard Business Review suggests that, “less than half of an organization’s structured data is actively used in making decisions—and less than 1% of its unstructured data is analyzed or used at all.” GDPR should motivate businesses to drive out duplicate copies of information and “dark data,” as it is also an opportunity to drive savings. According to Veritas this is a serious issue, because 33% of a company’s data is considered redundant, obsolete, or trivial (ROT) and 52% is unclassified or “dark.”
Common sense suggests that combining best practice for data governance, security, and data deduplication is not just critical to effective GDPR strategies, but general good data management practices. If the theory is not enough to convince you, then you need to understand how GDPR is going to change your relationship with your customers. There have been a number of surveys asking consumers what they will do once the new laws are in place. Pegasystems revealed that European consumers will want direct control over their data post-implementation of GDPR and 89% will want to see the data that companies hold about them with the likelihood that many will request certain information be deleted. The right to access is a key part of GDPR and companies must be able to respond to requests for data erasure; an international survey by Clearswift recently revealed that only 34% of international businesses have successfully completed a data erasure request.
We all know about the potential fines for failure to comply with GDPR requirements, but more importantly bad data management practices will have a lasting impact on relationships with consumers. The Pegasystems survey suggested that the retail industry was the least likely to be trusted by consumers with personal information. This is understandable when you look at the Thales Data Threat Report, which estimates two in five retailers worldwide have experienced a data breach in the last year. In an article about the research Thales outlined a stark warning for companies who fail to demonstrate competent data management strategies. If organizations failed to demonstrate compliance the majority of consumers would consider reporting them to the relevant industry body or even take legal action. In such a breakdown of trust companies could see lasting damage done to their brands and revenue streams. GDPR could also have an effect on the internal operations of companies. The Clearswift research revealed 48% of businesses believed dealing with requests for information could slow down their productivity.
Therefore, it is time that DBAs around the world don their superhero capes once more and take charge of their organisations’ GDPR initiatives. Frankly, they have little other choice. The International Association of Privacy Professionals (IAPP) has claimed that the US and Europe requires 28,000 data protection officers to manage GDPR, which will mean demand for talent will likely outstrip supply for some time to come. DBAs have the right skills and understanding of data to step into the breach. There is a lot of emphasis being placed on privacy by design, which is clearly harder for long established companies compared with start-ups, who can build their data management infrastructures from the ground up without the baggage of legacy systems. Obviously, data management strategies should be based on privacy by design, but this is something that organizations will have to put in place over time.
In the interim, DBAs must be advising senior leaders in their businesses on best practices for good data governance, data security, and data wastage. Whatever your superhero skill, now is the time to apply it, because your business needs you. My colleague, Ken Rugg, has gone into how the role of the DBA is changing in a March 2018 Gartner presentation, but all DBAs should realize that their intricate understanding of how data is stored, managed, and retrieved will be crucial to the long-term health of their company’s data management strategies.
Marc Linster, Ph.D., is Senior Vice President of Product Development at EnterpriseDB.