The risk of GDPR non-compliance is decreasing company profitability, earnings per share, and loss of customer trust, even for businesses that are not ‘caught’ and fined by the regulatory authorities.

KPMG recently released a study that stated half of the companies worldwide are not ready for the data privacy governance and procedural follow-up required by GDPR.

Yet, the companies following and supporting best practices around data management, information governance, policy management, and data privacy procedures will ultimately save time, energy, and money when adding GDPR compliance to their infrastructure.

Nuix views GDPR as an opportunity for companies to do what’s right with the data collected, processed, and stored. GDPR regulations require specific procedures to be followed, such as notification of data breaches along with responding to subject access requests and an individual’s right to be forgotten. By taking care of customers’ data, you not only protect their privacy in a meaningful way, but also give yourself a greater competitive advantage by understanding your data assets more deeply, protecting them more effectively, and deriving intelligence from them more easily.

Approach with a Plan

No single solution exists to guarantee GDPR compliance—no matter what you’ve been told. Nuix has defined a seven-stage process that highlights where people, process, and technology need to come together to support the business.

We previously discussed the three high level categories for this staged approach—identify, manage, and monitor. Within these categories exist the following seven process flow stages.

Identify Personal Data Patterns

A strong plan begins with an honest evidence-based assessment of the situation. It’s important to review your data privacy policies and ensure that they match your obligations under GDPR. With this information in hand, you can then develop search rules to guide your response to subject access requests and right to be forgotten enquiries. Our clients use Nuix to scan sample data sets for PII information and prepare search patterns across a multitude of data sets and languages.

Develop a Data Map

From reviewing the initial identification tests, you can then progress to mapping your entire environment to identify and classify data repositories that contain personal data. Personal data can be anywhere, including endpoints, third-party systems, mobile devices, and network or cloud storage services. It can also come in virtually any format, with the variety of data types increasing seemingly every day.

Creating and maintaining a detailed data map can not only empower your GDPR efforts, it can also yield significant business benefits in the areas of eDiscovery, cybersecurity, RIM, fraud, and even IT efficiency. It lets you know where your risky data is, and where it isn’t.

Conduct an Information Audit

With a data map in hand, processing your data repositories and determining what needs to be indexed is the foundation of best practice compliance. While processing, your organization should keep an eye toward priority based on the inherent risk posed by each data set. Nuix search and review capabilities will help you get a handle on your data, taking a staged approach that factors in risk, urgency, availability, and the size of your data sets.

Perform Scope Assessment

Once your data is processed during the information audit, you can use it to understand the scope of work you’ll need to accomplish as part of your GDPR action plan. This assessment will involve investigating and remediating non-compliant repositories or groups of data, as well as building practical procedures to answer subject access requests and right to be forgotten enquiries.

Apply Remediation

Once you have a firm action plan to update processes, people, and technology, implementing that plan to ensure that you can quickly respond to GDPR requirements is key. Using Nuix, the remediation process is focused on cleaning up your data, removing personal data when its value has expired, and assigning ownership and permissions to the records and systems within your enterprise.

You’ll also communicate procedure changes within the enterprise during this step, re-verify and document the consent of your customers to hold their data, and plan ahead for periodic audits of new information using delta indexing (indexing only the new records and leaving everything else alone).

React, Respond, and Report

The operational side of GDPR requires you to answer requests about consumers’ data without delay and with full confidence that your responses are comprehensive. Nuix software drives your ability to do just that, providing you with a platform you can use to answer subject access and right to be forgotten requests from your customers, answer regulatory inquiries, inform senior management and the board on activity, and report data breaches under the provisions of GDPR.

Monitor and Protect

Privacy best practice requires more than just response to events or requests. Nuix can provide an endpoint detection solution that incorporates active monitoring and protection of your data environment.

In addition, you can use the Nuix engine in previous steps to audit new incoming information in an ongoing manner, ensuring you have the latest data at your disposal when responding to GDPR compliance needs.

Regulation to Opportunity

Data privacy regulations like GDPR represent an opportunity for organizations like yours to build a true competitive advantage and do the right thing for your customers. Much of the dialog around GDPR has been focused on the possibility of punishment by way of significant fines; we’d like to focus on the positive implications of doing information governance ‘right’.

The key differentiators for Nuix—speed and complete understanding of a wide range of data types—makes it the ideal solution to power your GDPR program, from initial planning to active protection. Following the Nuix seven-stage approach to GDPR and building an ‘always-on’ capability will help realize that ultimate goal.

Todd McQueston currently leads strategic marketing for Nuix eDiscovery, Information Governance, Risk Management and Compliance solutions. Before coming to Nuix, he led the clinical-decision support division at a major healthcare content vendor and built the marketing and sales operations department for a privately-funded big-data analytics company.