GDPR (General Data Protection Regulation) became law on 25th May 2018 and many companies delaying their focus on the matter have suddenly woken up the subject. They have found that rather than just being a matter of declaring compliance, re-arranging and protecting data differently and making declarations to people whos data they hold, there are much wider considerations.
In interviews and conversations with a number of multinational companies, the general opinion was that GDPR is an exercise in legal compliance. As a result the lawyers have been engaged and focused very much on making sure the right statements are made, and options are available to people concerned. This is undoubtedly a good approach. It is however only part of the story! What about the operation of handling and storing the data itself, is your process and landscape compliant? And what if someone wants access to their data? How easy would that be? The technology considerations are very complex and involved! The network and location of software, hardware and databases need to be considered very carefully and the processing of the data through the various applications needs to be reviewed and documentation amended where necessary.
Anyone who has been through a process audit (ISO, SAS, SSAE etc) knows that, although complex in its nature, the results are pretty consistent and the audit can be straightforward. Do you have a policy? When was it last reviewed? Is it fit for purpose? Can you prove it? Tick Tick Tick. Audit over! The penalties for non compliance often are not immediately significant and the opportunity to review and correct the gap is often an option.
With GDPR we are not only talking about ensuring process compliance. Personal data protection is at risk. The consequences and penalties for something going wrong with that protection are huge for both the consumer and the organisation!
Personal data is used and held in so many different ways that understanding what it is, how its stored, and how its used, can be a minefield. Many companies in reviewing GDPR have focussed on a very narrow scope looking at the main sections of data and storage points often ignoring the process of handling and using the data. But what about further extended storage and usage? Not many companies work with one single source database for every possible piece of data. If you do, then the task becomes much easier. But what about extended systems? Further internal applications? Cloud applications? Vendor applications? Membership sites? Partner applications?
We will give one example of where GDPR could cause major issues. One privilege the new regulation has awarded is the right for someone to request access to and/or return or deletion of all private data held about them. You would have 30 days to respond to that request. Can you honestly say you would be able to immediately execute? How long could it take you to identify every piece of data, every storage point and every processing point? How confident could you be in being able to do this to 100% accuracy? Could you isolate the data quickly? Extract it? Safely destroy it? And could you be confident you have reached all of it? There will always be that one spreadsheet on a laptop somewhere that lies dormant.
The market is saturated by GDPR compliant solutions, many of them much the same as the last one, and dealing with the superficial issues and not the root cause. Therefore, can we be sceptic about “one size fits all” solutions to GDPR compliance? Short term, it may work, however, as the authorities start to get to grips with the regulations, their audits and investigations will get deeper and more detailed. After all, personal security is at stake!
The response to GDPR therefore needs to consider not just private data storage, but also possibly the deployment of new technologies, and reorganization of the data in a way that it helps to identify, track and delete records if required. Most of all it means you need a better conscious awareness and control of the data storage and processing. If you don’t get this right many many man hours could be burned in trying to respond to any requests or audits. This could paralyse your organisation!
So let us sit back and consider….
Have we spent all of your budget for GDPR on legal requirements and assessments?
How will we make the considerations for the technology requirements to meet the regulations and compliance?
We believe a good strategy to help meet the new regulations would be a combination of the following:
- Complete the legal exercise to tick the initial boxes and ensure you have compliant policies.
- Consider your current technology footprint to ensure you gain greater control of the storage and control of the personal data. It’s hard to believe that no technology investment is needed, you should allocate enough funds from the IT budget
- Implement a policy of continuous review – amend – deploy – teach to ensure you keep pace with what will surely be an evolving regulation in the coming months and years.
- Engage the experts to effectively address the gaps.