We now have less than a year to go to be able to demonstrate readiness with the new General Data Protection Regulation (GDPR) rules, especially when it comes to being able to demonstrate the ability to know what data you have, why you have it, validate where you expect it to be and how you can search and process it all within a confined time period with confidence.
Just in case you need reminding, the 25th of May 2018 is the date this all comes into force and many organisations I talk to are still only just finding their pace to get this done.
What we have seen is good progress for many in the data mapping exercise which requires the creation and maintenance of “records of processing activities”. The outputs of this are typically a visual depiction of the flow of personal information through its lifecycle, within an identified process, including flows between internal and external systems, parties and jurisdictions, as well as an Article 30 register of processing activities explaining what you do with this data.
However, one area that is still being missed is testing it out and proving that once you receive a request for information from an individual, you can Search, Hold, Examine, Redact, Present and Audit (SHERPA) this MOUNTAIN of data and process effectively….see what I did there?
In simplistic terms, the best place to start is looking at the process to support current Subject Access Requests, as these are the foundation for a GDPR request. The following activities need to be captured:
Remember data is digital, so keep it digital from start to finish.
If you don’t know what data you hold you can’t comply. Organisations hold vast quantities of data that they do not need or understand. Recent Veritas Databerg Report has found that 85% is “dark” data, or ROT (redundant, obsolete, or trivial). Findings from Veritas’ Data Genomics Index highlighted that 41% has not been touched in three years and expansion of data is an alarming 39% a year, with very little insight. Such rapid growth also increases the risk of security breaches, poor productivity, reduced customer satisfaction and escalating storage costs. In the State of Information Governance 2016 Report 94% of organisations have a formal information governance programme in place or in planning, only 40% are high performers when it comes to being effective with an information governance culture within the organisation and its employees.
Benefits of compliance
Compliance requires significant investment, but this can be offset to a significant degree:
The new rules can be a vehicle for reform.
When it comes to things we can see and touch we spend time tidying up after ourselves, either by throwing stuff out, or putting it in its place, so you know where to find it next time you need it. However, we treat data differently. Because it appears to be not getting in your way and storage is “cheap”, we feel comfortable just leaving it where it is and we become hoarders in denial. In our private life this seems acceptable, but in the corporate world the GDPR should be seen as much needed therapy to set rules, help us address our data hoarding addiction and ensure we are keeping what we really need. It’s time to regain control and see this as an opportunity to get into some new good habits.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.