GDPR Compliance On IBM i A Work In Progress, Survey Finds
August 20, 2018 Alex Woodie
About 50 percent of IBM i shops say they’re compliant with the European Union’s General Data Protection Regulation (GDPR), according to a recent survey by SoftLanding Systems. However, about a quarter of survey respondents say they have a way to go before they’re confident in their GDPR preparedness, the IBM i vendor says.
GDPR, which went into effect on May 25, made big changes to laws governing how companies and other organizations are allowed to collect, process, and store data about European Union citizens. While not every American firm is required to adhere to GDPR, those that do business with EU citizens must comply with the law or face fines that potentially reach 4 percent of the company’s annual revenue per incident.
To gauge how far along IBM i shops are with their GDPR remediation efforts, SoftLanding Systems asked 46 IBM i professionals a series of GDPR-related questions during surveys conducted at two recent IBM i conferences, including COMMON‘s POWERUp18 in May and i-UG‘s International i-Power 2018 this June. While the sample size may leave something to be desired for those who desire statistical purity, the results, which SoftLanding published earlier this month, give some indication of the general direction that things are going with regards to GDPR compliance.
In general, the SoftLanding survey results indicate what we would expect to see at this time – that GDPR remediation efforts are a mixed bag during the earliest stage of GDPR adoption.
Here are the high-level findings from the report:
- Only 2 percent of survey respondents say they are “completely confident” in GDPR remediation efforts.
- 26 percent say they’re not confident in their company’s GDPR compliance.
- 17 percent say they’re not affected by GDPR.
- 7 percent say they don’t know how compliant they are.
The elevated level of uncertainty around GDPR should shock nobody, SoftLanding Operations Manager Jim Fisher says. “While the GDPR officially came into effect at the end of May, it’s no surprise that some enterprises are still unsure about compliance,” Fisher states in a press release. “Achieving GDPR compliance can be onerous and will initially require continuous reviewing and testing of processes around the transparency and privacy of personal data.”
The GDPR is a complex beast that completely changes the relationship that companies have with data. The changes arguably are the most drastic for companies in the United States, where an “anything goes” attitude has given the big Web giants a blank check to do just about whatever they want with data.
It can be a very challenging endeavor to get a handle on the GDPR and complying with the various new legal rights that it gives EU citizens, including the right to be informed, the right of data access, the right to rectification, and the right to erasure, among various other new GDPR-granted data rights.
In its survey, SoftLanding sought clarity on which aspects of GDPR were causing IBM i shops the most grief. The biggest GDPR-induced pain point is understanding where personal data resides in the business, with 50 percent of respondents saying that’s a problem.
While it would be relatively easy to build controls for data stored in Db2 for i, the reality is that just a small portion of the personal data that falls under GDPR jurisdiction is stored in the relational database, Fisher says.
“The majority [of data] is spread around the organization in a wide range of unstructured formats – such as documents, voice recordings, chat logs, social media, texts, and emails,” he says. “These are stored in diverse locations, controlled by separate business departments and therefore are very difficult to pull together.”
Another 41 percent of SoftLanding survey respondents cited the difficult of having systems in place to “flag up” potential data breaches as a big challenge, followed by 35 percent saying the GDPR’s right to erasure was the biggest problem. Ensuring good data security, gaining the needed “consents” to store personal data, and having a process in place to respond to GDPR-related requests also got votes in the survey.
Because most of GDPR revolves around personal data, getting a handle on the systems that store that personal data is job number one. Fisher recommends that having an enterprise content management (ECM) strategy could be a boon for IBM i shops struggling with GDPR compliance.
“The key advantage I see is that ECM becomes a strategic enabler, not only in satisfying compliance needs, but also in providing a non-intrusive digital transformation framework for the IBM i platform,” Fisher states.