Data of any kind is one of the most important assets any organisation holds, and for businesses and organisations who are facing the May 2018 deadline for compliance with the EU General Data Protection Regulation (GDPR) organising and managing their data is more critical than ever before.
This is because the GDPR places more obligation on organisations to ensure that personal data is used legally and transparently. It also fundamentally changes the relationship that individuals have with those organisations with whom they interact in terms of their personal data and places more emphasis on the rights of data subjects.
>See also: GDPR: What do you need to know?
The compliance process should also shine a light onto the nature of an organisation’s business processes and practices around data.
This article will discuss some of the technology areas affected by GDPR and offer some tips for getting started on the road to compliance with the GDPR.
It will therefore be important for organisations to be able to document what Personal Data they hold, where it is, what was its source, why are they holding it, how long will it be retained, how is it used, who has access to it and how it is shared, both internally and externally.
In a 12 step process the UK Information Commissioners Office suggests that an organisation might need to conduct an information audit of existing systems that hold Personal Data as an early step towards compliance.
For larger organisations who use many different computer systems and applications to process Personal Data, completing this task could present a significant challenge just in itself.
However, if this is the first time an organisation has considered compiling an enterprise-wide data glossary and data lineage solution, there are a number of potential solutions which can help.
>See also: Practical steps to deal with the GDPR
These include traditional Information or Business Glossary, Enterprise Data Governance, Data Lineage and Metadata Management solutions from vendors such as ASG, Adaptive and IBM. Most of these will scan existing applications for source metadata and bring that into a repository for further analysis and to determine data lineage between systems.
There are also specialist products such as Safyr® from Silwood Technology, which performs metadata discovery and analysis on packaged ERP or CRM solutions from vendors including SAP, Salesforce, Oracle and Microsoft that present a particular challenge when it comes to finding the source of Personal Data.
Other vendors, such as Informatica have proposed a data lake based approach to storing personal data information.
Following on from that, there are likely to be requirements to profile and check the quality of Personal Data held in order to be able to identify where improvements in data processing procedures are required.
What about unstructured data?
According to Gartner more than 80% of the information stored by organisations today is classified as unstructured. This includes email, files, photographs, reports, documents and more. Much of this is likely to include some form of Personal Data which would allow identification of data subjects, whether they are customers, business partners or employees.
>See also: GDPR: Compliance to commitment
Under the GDPR, organisations must be able to comply with the rules regarding knowing where this information resides as well as in the context of Privacy, Consent and the Rights of Data Subjects.
Get it right: Privacy, consent and the rights of data subjects
As well as recording their Privacy and Consent documentation to ensure compliance with the GDPR, organisations will need to ensure that existing systems are updated and revised to cater for these additional requirements.
For example, they will need to assess which customer or employee facing systems need to be amended to reflect revised Privacy Notices and ensure that work has completed and is approved.
The GDPR makes the concept of consent by the data subject clearer. Pre-ticked boxes, silence or inactivity by the Data Subject can no longer be considered as constituting consent to have personal data processed. Also, consent cannot be conditional on signing up for another service. This means that Data Subjects must be informed as to the details of what happens to their data if consent is granted.
Systems may have to be reengineered or enhanced to satisfy the need to record when and how consent was granted and also when it may subsequently have been withheld. This is critical to halt processing of Personal Data when consent has been withdrawn and to be able to demonstrate compliance.
There is also the requirement to comply with the rights of the data subjects. For example, the data subject has the right of access so she can request to know what data is held about her, where it was acquired, what is done with it etc. The organisation’s data controller must be able to respond with this information quickly and accurately.
Other examples are the right to rectification and the right to erasure. As well as needing to comply internally, both of these would also require the data controller to forward the request to other data processors with whom that personal data has been shared.
The data subject also has the right to data portability which requires the data controller to give the data subject his or her information in a commonly used, structured and machine readable format.
The cost and effort required to achieve this is considerable, unless some form of information glossary and appropriate processes are in place to support these requests, especially when unstructured data is to be included.
Benefits of good data strategies
Developing an improved reputation and better brand awareness by having transparent, effective and trustworthy strategies for processing customer data is highly desirable, and is likely to increase customer loyalty.
According to a 2016 FireEye report, 76% of respondents indicated that they would be more likely to seek alternative suppliers if they become aware that a supplier had ineffective data processing and security procedures.
The GDPR will encourage organisations to more actively improve the quality of the data they hold about their customers, which could have a direct benefit in reducing the costs associated with poor data quality – estimated by The Royal Mail to cost businesses about 7% of annual revenue.
Getting your house in order for GDPR compliance
If you haven’t started it is important to do so rapidly. Initial steps should include:
● Read the relevant legislation or identify trusted sources of information about the GDPR to identify how it applies to your organisation.
● Gain executive sponsorship for a compliance program and raise corporate awareness of the importance of data and data management for the GDPR.
● Appoint Data Controllers and Data Protection Officers as appropriate.
● Ensure that changes to Data Privacy and Consent policies are implemented and documented. The Privacy notice should include the lawful basis for your processing activities. It is also critical to ensure that the appropriate consent has been obtained for minors, so that any processing of Personal Data for children under the age of 13 is legal.
● Undertake an information audit and also ensure that processes are in place to cover the Rights of Data Subjects such as the Right of Access and the Right of Erasure.
● Ensure that procedures are in place to detect data breaches and then notify the relevant authorities as well as Data Subjects affected in a timely fashion.
● Assess when and how to introduce Data Protection Impact assessments.
Sourced by Roland Bullivant, sales director, Silwood Technology Limited
The Women in IT Awards is the technology world’s most prominent and influential diversity program. On 22 March 2018, the event will come to the US for the first time, taking place in one of the world’s most prominent business cities: New York. Nominations are now open for the Women in IT USA Awards 2018. Click here to nominate