If you work in an organisation that stores customer records, login information, patient names, asset balances, national insurance numbers, loyalty programme details, passwords, credit card information or any other personal data, you will need to comply with the new EU data regulation, and if your company has more than 250 employees, it’ll also need to appoint a data protection officer to ensure compliance.
The regulation is currently being considered by the European Commission, which recently announced that it is progressing at ‘full speed’. The aim of the laws is to protect personal information and create a single set of rules adhered to by companies in 27 EU countries and by foreign firms handling personal data of EU citizens. Whilst the EU claims that the regulation will make European businesses more competitive with the rest of the world, some of the unintended consequences may do just the opposite.
There are many aspects of this regulation that businesses will need to address, from preventing data breaches and setting up processes for notifying authorities when they happen, to enabling customers to request that their data is transferred from one service provider to another.
Companies will also need to make sure that personal information doesn’t get into the hands of employees or third parties that shouldn’t have access to it. On the face of it a harmless and understandable assertion, but the requirement to protect personal data as it moves within an organisation may have serious consequences for companies who are not prepared for it.
In today’s world most companies rely on data to run their business and on copies of their databases to keep it moving. There are on average 8-10 copies of each live database. One copy might be used for testing of a new product, another for running business intelligence on recent sales data, whilst others are used for backups, training or disaster recovery. Personal information is often included in these large data sets and all its copies.
So what’s the big deal? Once the regulation is in place, companies will have to mask any personal information that is shared across an organisation with those who shouldn’t see it. That means not only masking it in the original database, but every time a copy of the data is made and every time a refresh is required.
With IT’s limited resources, the new practice may lead to long delays on making copies of data available and in some companies IT may reject incoming requests from other departments entirely. Developers won’t be able to get the databases they need as frequently, business intelligence will be run on old data sets and testing will be cut down, potentially leading to more bugs as a result. The pace at which a company moves would slow down as it is bogged down by the new data masking requirements.
Some new technologies such as database virtualisation are already helping companies solve these concerns by making virtual rather than physical databases. When a virtual copy is made it retains the characteristics of the original database including the masking of data, saving IT the time and resources that would be otherwise spent on masking each individual copy.
Once the regulation is implemented, unprepared IT departments will find themselves data masking rather than helping to drive the business. There is still time to make sure that the EU regulation doesn’t make your firm less competitive, but it’s quickly running out. Don’t get caught out.