The European Union’s General Data Protection Regulation (GDPR) is the most important change in data privacy regulations in 20 years.

Developed to protect all EU citizens from privacy compromises and data breaches, it applies to all companies that conduct business with EU residents whether they have a physical presence in the EU, or are located outside Europe, but still market to EU residents. For example, any US company conducting business with EU residents, even if only online, is subject to the GDPR.


The regulation assigns significant protection responsibilities on companies. It requires them – on pain of severe financial penalty (€20 million/$23.5 million or 4 percent of total global revenue, whichever is larger) and/or criminal charges – to be vehemently proactive in safeguarding consumers’ privacy and keeping their data intact. The GDPR has mandated a new security leadership role: The Data Protection Officer (DPO) required by every company to ensure compliance, including the creation of a Supervisory Authority specific to each EU country.

The GDPR is not just another run-of-the-mill privacy regulation

The burdens it places on companies are significant.  Merely being vigilant about security isn’t good enough. Addressing lax safeguards only after a breach simply won’t be tolerated. A drastic shift from past regulation is the requirement for the DPO to report any suspected data breaches within 72 hours, an enormous change in transparency from current requirements and subjecting them to significant reputational risk.

Companies need to implement stringent protection regimes now, to prevent breaches from happening in the first place; and put in place the ability to quickly remove personal data upon request to meet such requirements as the GDPR’s ‘Right To Be Forgotten’. That’s a fundamental reversal of the way things have worked until now.

Time is not in great abundance

Any company with customers in the EU’s jurisdiction must be compliant by 25 May 2018, a deadline that appears to be immutable. Companies need to put protections around personal data in place now. But what does that really mean?


You can’t protect data that you’re not managing.  And you can’t manage data that is partially or completely undocumented. Data that is burrowed away in siloed, legacy systems – the developers of which may no longer work for the company – is notoriously difficult to inventory, manage and protect.  Even if you can inventory those systems, how will you discover the data and data flows within them and correlate it with its counterparts in systems used with greater regularity?

If you try to do that through metadata only, you will fail because you are working with incomplete data. If you try to do it manually, you will likely fail again because most companies lack the subject matter experts who have the required knowledge to reverse engineer your undocumented systems. In either case, you will almost certainly run out of time.


Automated detection and discovery of data relationships is critical to documenting, understanding and managing your data, and thus in protecting it. You need technology purpose-built for these tasks, that use artificial intelligence to carry out the work on the array of systems you have, in a fashion that is scalable and which learns and improves, the more systems it audits. With Io-Tahoe, that’s precisely what you get.

Request a demo

Get a personalized demo from one of our Io-Tahoe experts