What goes “Tick, Tock, Give me my Data”? – The GDPR Countdown!

Clock.jpg

We now have less than a year to go to be able to demonstrate readiness with the new General Data Protection Regulation (GDPR) rules, especially when it comes to being able to demonstrate the ability to know what data you have, why you have it, validate where you expect it to be and how you can search and process it all within a confined time period with confidence. 

Just in case you need reminding, the 25th of May 2018 is the date this all comes into force and many organisations I talk to are still only just finding their pace to get this done.

 

What we have seen is good progress for many in the data mapping exercise which requires the creation and maintenance of “records of processing activities”.  The outputs of this are typically a visual depiction of the flow of personal information through its lifecycle, within an identified process, including flows between internal and external systems, parties and jurisdictions, as well as an Article 30 register of processing activities explaining what you do with this data. 

However, one area that is still being missed is testing it out and proving that once you receive a request for information from an individual, you can Search, Hold, Examine, Redact, Present and Audit (SHERPA) this MOUNTAIN of data and process effectively….see what I did there?

In simplistic terms, the best place to start is looking at the process to support current Subject Access Requests, as these are the foundation for a GDPR request. The following activities need to be captured:

  1. Understand the Subject Access Request process
  2. Identify ALL of your data sources and regularly target data that should be cleansed, if you have no business purpose to keep it
  3. Review the available tools and methodologies to search the data sources confidently and highlight the gaps where it’s lacking
  4. Identify the correct platform to load the information for review and ensure it can give comfort that the data cannot be changed, chain of custody can be assured and an audit of the requests can be recorded
  5. Test whether you can do it within the time limits of the GDPR?

Remember data is digital, so keep it digital from start to finish.

Data management

If you don’t know what data you hold you can’t comply. Organisations hold vast quantities of data that they do not need or understand. Recent Veritas Databerg Report has found that 85% is “dark” data, or ROT (redundant, obsolete, or trivial). Findings from Veritas’ Data Genomics Index highlighted that 41% has not been touched in three years and expansion of data is an alarming 39% a year, with very little insight. Such rapid growth also increases the risk of security breaches, poor productivity, reduced customer satisfaction and escalating storage costs. In the State of Information Governance 2016 Report 94% of organisations have a formal information governance programme in place or in planning, only 40% are high performers when it comes to being effective with an information governance culture within the organisation and its employees.

Benefits of compliance

Compliance requires significant investment, but this can be offset to a significant degree:

  1. Align processes and tools to encourage and monitor good employee behaviour
  2. Realising operational efficiencies by deleting the ROT will save money and reduce the data hoarding tendencies that organisation have allowed.
  3. Enables companies to build a digitised future – they can turn data into a business asset, reduce risk and keep their data clean and high value.

The new rules can be a vehicle for reform.

Regain control

When it comes to things we can see and touch we spend time tidying up after ourselves, either by throwing stuff out, or putting it in its place, so you know where to find it next time you need it.  However, we treat data differently.  Because it appears to be not getting in your way and storage is “cheap”, we feel comfortable just leaving it where it is and we become hoarders in denial.  In our private life this seems acceptable, but in the corporate world the GDPR should be seen as much needed therapy to set rules, help us address our data hoarding addiction and ensure we are keeping what we really need.  It’s time to regain control and see this as an opportunity to get into some new good habits.