4 minute read 26 Apr 2018
man checking tablet dark server room

GDPR compliance: how data analytics can help

By

Andrew Gordon

EY Global Forensic & Integrity Services Leader

Global Forensics Leader focusing on helping organizations build their integrity agenda so they better anticipate and mitigate risk.

4 minute read 26 Apr 2018

Show resources

Can advanced analytics help organizations make the transition to a new era of data privacy and protection?

The arrival of the EU General Data Protection Regulation (GDPR) on 25 May 2018 ushered in a whole new era in global data protection and privacy, with a diverse range of new rules and regulations that apply to any company that handles the data of any EU data subject. It’s important to note that this doesn’t just cover EU-registered companies; any business that deals with EU customers is affected.

The rules include restrictions on processing and sharing the data of EU residents and the requirement to notify relevant government regulators or agencies within 72 hours of a privacy breach. The GDPR grants data subjects several core rights to access and control their data (i.e., “right to be forgotten”). Violating these rules could expose companies to substantial fines — up to 4% of a company’s total global turnover or a flat €20 million fine, depending on whichever is higher.

The GDPR, and other data-related legislations, including China’s Cybersecurity Law, Australia’s Privacy Amendment Act and South Africa’s Electronic Communications and Transactions Act, will transform the global landscape of data protection and privacy. Organizations across all sectors will need to keep pace with the rapidly changing regulatory landscape.

It may come as a surprise, then, that only 33% of respondents to EY’s 2018 Global Forensic Data Analytics Survey said they had a plan for the GDPR. A further 39% said that they had no idea what the GDPR was. With the new regulation coming into force in just a few weeks, it is clear that urgent action is required.

Can forensic data analytics (FDA) help?

What is FDA?

Today’s businesses are drowning in data — it permeates everything, from customer records, to logistics networks, to internal IT systems. In just a single hour, a major company can generate millions of transactional records. IDC forecasts by 2025 the global datasphere will grow to 163 zettabytes (that is a trillion gigabytes).1 “Another way of thinking about it is that if you took every book ever printed throughout history (estimated at about 130 million individual titles), today we produce that same amount of content almost 1,000 times every second, or 80 million times per day!”

If staying on top of this ever-growing universe of data isn’t sufficiently demanding, external factors can appear — such as litigation or new regulation — that require companies to know exactly where the data being requested can be found. There’s a story about needles and haystacks that jumps to mind.

Here’s where FDA comes in: by querying and analyzing structured and unstructured data, FDA helps companies identify patterns of data, or information deduced from multiple data sources, that deserve closer attention for risk control purposes such as compliance monitoring. Advanced FDA technologies can enable companies to scan the entire relevant data set, instead of having to rely on sampling that may not always give you the complete information.

For instance, a company that suspects it has been the subject of insider sabotage could apply FDA tools across multiple sets of data, such as network access logs. Management can then initiate investigative procedures if the analysis identifies suspicious patterns.

Think of it as a sieve that can sift through huge troves of data and give managers what they need to do their jobs in a timely and precise manner.

How can FDA help with GDPR?

Since the GDPR is concerned primarily with the privacy and protection of resident data, then responding to it is a data governance issue — and FDA is, at heart, a data governance tool. Knowing where that resident data is located, who has access to it, how it is protected and how it has been used is essential for enacting compliance measures. FDA helps governance functions achieve this. Keeping track of the origination of data, how long it needs to be archived, what usage is applied to it and how it gets erased are also key privacy goals that FDA can help facilitate.

EY’s survey reveals that companies are beginning to get serious about this, with 42% saying that they believe that data protection and privacy regulations will have a significant impact on the design or use of FDA. And more than half of those surveyed (52%) indicated that they are in the process of analyzing which FDA tools can assist them with achieving compliance.

Of course, it’s also important to note that regulations like the GDPR are so far-reaching in their scope that performing FDA analysis, if not done appropriately, could itself constitute a violation of data privacy rules. It goes to show how complex this field is and how important a mature data management and governance strategy is at effectively hitting compliance targets.

Before applying an FDA strategy to a business problem, companies should carry out a data privacy risk assessment. This will ensure that compliance risks are being managed and appropriate mitigation is put in place to get the best value out of FDA without it becoming a liability rather than a competitive edge.

For more information and insights into FDA and how it can be effectively applied within organizations — both for regulatory compliance and other issues related to data protection and privacy — download the full report here.

Summary

FDA can help organizations comply with GDPR. But they need to carry out a data privacy risk assessment before implementing it, so that it is a competitive edge as opposed to a liability.

About this article

By

Andrew Gordon

EY Global Forensic & Integrity Services Leader

Global Forensics Leader focusing on helping organizations build their integrity agenda so they better anticipate and mitigate risk.