General Data Protection Regulation part I
9 March 2017 | 0
“The geography of where that data is stored is important to understand and we certainly offer and guarantee an EU footprint. In the context of Brexit, that is becoming a frequent topic of conversation. A major aspect which involves almost all of our clients is business continuity and disaster recovery. Personal information is not confined to the production processes and data storage. GDPR applies to all such data, whether it’s live or the 50th back-up copy from last year — and whether it is encrypted or not.
“Another technical area that poses some potential challenges is hybrid IT, now mainstream and the new normal. Organisations may be combining on-premise with public or private cloud, cloud services and whatever their BC and DR solution is,” says O’Leary. “But in all of those a key question is where the data is being backed up. If an EU citizen invokes his or her rights under GDPR, there is an obligation on organisations to know in real time or near real time where that person’s information—and any copies—is stored.
“It’s also not just the IT but a real culture shift for many types of organisation. It’s that old mantra — people, process and then the technology. It certainly involves making sure staff understand the requirements under GDPR and how they deal with customers, so there may well be significant training components as part of the plan to ensure compliance. In consulting with clients, especially at the early stages, we are getting them to understand that there are a lot of moving parts in GDPR compliance. It’s not just tidying up data storage. As most enterprises are now aspiring to be as totally digital as possible, the IT solutions have to be thoroughly worked through.”
By design and default
“The security of personal data should be by design and by default,” says Brendan McPhillips of Asystec. “In truth that applies to all data. But if you have not done that rigorously already, and certainly if you are going to roll forward with older applications on new platforms, you need to bring in the concepts of accountability, what data you are collecting and for what purpose and how long you need to or are permitted to keep it.”
Another key point is that the organisation has to document and record its data processing procedures — how data is absorbed, consumed, processed and the life cycles associated with all of that. “Many organisations have IT systems that just grew and developed organically, in a sense, with very little technical documentation as they added elements of functionality,” says McPhillips. “Enterprises also tend to treat all data in the business as equal. So, one of the early challenges for many in planning for GDPR is classifying their data and identifying all personal information and its locations. Who has access to it and what for are also questions that need to be answered.
Deeper into the IT and procedures, information asset registers and entitlement review processes will come into play as the organisation manages that personal data over time, he adds. “Another element that will pose challenges is the trend towards analytics, often based on historical records, which is often aimed at targeting micro-segments of the customer base, perhaps right down to individual level. That is, at least on the surface, in some conflict with the legislation particularly with the purpose and length of time for which you can hold customer data.”
In most client discussions so far, McPhillips says, the fear of penalties — and their scale — is what is driving planning and action. “Plus a tight timescale, when they start thinking about it. A lot of organisations believe they have control systems in place but in relation to GDPR they actually may not have. Data is the ultimate asset, so you have to understand where it is, how it enters and traverses the organisation, what is sensitive and what controls are in place or needed. In short, you have to identify clearly where the risks are — or might be. So your checklist should certainly provide for an audit trail of all data touches for the future.”