The General Data Protection Regulation has been in place since May 2018, and the business of data management will never be the same again. GDPR has its genesis in data protection laws dating back to 1948, and is firmly built upon human rights principles. I mention this because complying with GDPR is not a stale business process or box-ticking exercise. Organisations must take it seriously and it needs to become part of their DNA.
One of the constant themes running through GDPR is that an organisation must “demonstrate compliance”. This can be difficult to achieve successfully due to the complex work required to address the various obligations. For example, one of the tasks facing organisations is Data Subject Access Requests (DSARs, or SARs). At any time, data subjects (your customers as well as your employees) can request a copy of their data in a portable format, or for it to be erased from all your systems, or even just for a list of what data you may have on record for them and how you it is processed.
GDPR broadens the scope for data processing
It is worth noting here that the term “processing” under GDPR is broader than before – Article 4(2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
In order to comply, this can often mean first having a deep understanding of where all the data is, then collating it, and acting upon each request. To guarantee the outcome, a senior member of staff or fee-earner, may have to work on this, possibly for weeks at a time. While this may seem like an overstatement, challenge yourself to work through the mechanics of a “right to be forgotten” request where every record would need to be permanently removed. Or a request for a portable copy of all data held on a data subject.
In order to comply with a Subject Access Request...
· ...would you know where all the relevant data was stored?
· …could you guarantee that it was the only copy of the data?
· ...how would you collate it?
Bear in mind that a failure to fully comply can result in significant financial penalties, as well as reputational damage and the cost of a remediation project.
The other factor to consider is data which is stored in a backup. While GDPR is principally concerned with “live” data, if you find yourself in the unfortunate situation of requiring a significant restore of data, your immediate next step is to roll back any GDPR changes that may have taken place prior to the data restore. That’s not ideal if you’re working to resolve a major disaster recovery event.
Data minimisation in practical terms
Suppose you’ve carried out an exhaustive data protection impact assessment, or DPIA in the language of the regulation. You’ve identified that vast pool of data that makes up your organisation’s business processing activities. How do you identify, and manage in the long-term, data that needs to be erased in order to comply with GDPR’s data minimisation principle? (Article 5.1(c) Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).)
People, Process or Technology?
The traditional operating model holds the answer to compliance, as it does for most organisational challenges. Educating your staff on what GDPR is, what your obligations are and how to identify risks is a key activity in the modern workplace. New processes will be required to enable staff, and the business, to ensure that the organisation’s compliance is not compromised, but is in fact improved. But for many organisations this will not be enough. Due to the nature of their business, or the “DNA” of the organisation this will require additional measures. And this is where technology comes in..
Achieving Compliance under GDPR will require powerful tools that can index and map all data both in “live” and backup data sets and provide context for an organisation to make the right decisions when it comes to managing their GDPR obligations and reducing risk in their environments. In the second part of this blog, we will discuss what technology can address the challenges I have raised here.