Inside Track: Data Protection – understanding and insight
20 March 2018 | 0
Enter ‘GDPR tools’ in Google and you will quickly find there is a huge amount of software out there designed to help companies ease the process of achieving General Data Protection Regulations (GDPR) compliance. But is it really as simple as loading up an app and letting it take care of your compliance issues?
Not in the opinion of Lanre Oluwatona, data protection consultant for the Irish Computer Society, and secretary of the Association of Data Protection Officers.
“I’m not a big fan of using tools to help you be compliant. The reason is that no tool is going to give you all the attributes you need to achieve compliance. To begin with, you need to really understand how your organisation works,” he said.
“You need to understand those critical areas where personal data is processed and you need to have an idea of the risks that are out there to your data processing. Before you can start availing of the tools that are out there, you need to have a good understanding of the workings of your business. No tool can do that for you.”
Oluwatona’s message is clear — don’t fall into the trap of throwing technology at issues that essentially have nothing to do with technology.
“Once you have a sound understanding of where those problem areas are in your processes, then you can apply technology to them. But only then.”
Oluwatona said that in his view, many Irish companies are behind in their preparations for GDPR. Many are at the point where they are still asking questions about what they should be doing rather than talking about what they have already done. And while some are making the effort and are doing well, there are other companies that have been slow to make a start on achieving compliance. More worrying still though, are those that are not even aware of their impending responsibilities under the regulation.
“GDPR is made up of 99 articles and implementing those requirements will take a considerable amount of time. It’s not something that can be done in six months, regardless of the size of a company. It requires a huge shift in mind set because it’s really all about relationships,” said Oluwatona.
The main reason why Oluwatona is not a fan of GDPR compliance tools on their own is that he feels that achieving compliance is a process that requires a complete root and branch reassessment of how a company deals with data.
“There are seven principles of data protection. The first talks about processing data lawfully, fairly and transparently. The second talks about purpose limitation, in other words that you’re processing data for a limited and defined purpose. The third principle is confidentiality and safety of personal data and the fourth is accuracy of personal data,” he said.
“The fifth is data minimisation, in other words that you should be able to accomplish what you need to do with the least amount of data possible. The sixth is storage limitation or retaining data for as little time as necessary. But the seventh, that’s really interesting.”
“It’s accountability and it means that the data controller that determines the purposes and means of processing data must first of all accept responsibility for the data and be able to demonstrate compliance with the principles.”
Darragh Fegan, senior EMEA marketing manager, Veritas Technologies, agrees when it comes to the deployment of GDPR tools. They can be part of the solution but should not be seen as a solution in and of themselves.
“At Veritas we combine technologies, as there is no one silver bullet that will fix all. For example, the first step in GDPR compliance is gaining visibility into the personal data you hold. To process and manage that data, you need to be able to map where it’s stored, who can access it and how long you’ve kept it,” he said.
“Under the GDPR, EU residents can also request to see all their personal data and ask that it be corrected, moved or deleted. Your ability to rapidly respond to these requests is critical. Our 360 Data Management for GDPR delivers that integrated solution framework to help organisations locate, search, minimise and it delivers an enterprise-ready compliance solution that accounts for the regulations strictest guidelines and arms customers with a confident governance approach.”
Essentially, compliance tools should be part of a company’s tool kit but just as important is cultural buy-in from the company.
“A good GDPR stance will have high level buy-in from the board as collaboration is the keystone for eradicating blind spots. Collecting the workflow information required to inform meaningful and complete data maps must be a cross-organisational effort involving legal and compliance teams, the lines of business and IT,” said Fegan.
“Remember, the IT department does not own the data, the business does but ownership must be combined with a renewed sense of responsibility to govern it appropriately, making a collaborative approach a necessity. Hence high-level sponsorship is a necessity.”
With GDPR implementation nearly here, how well prepared is the average Irish company? Not at all well, in Fegan’s experience.
“Many organisations still don’t have the proper technology to address the regulations in full. In a survey we conducted, almost a third of respondents were worried their organisation did not have the necessary technology to manage data effectively, something that could jeopardise their ability to search, discover and review data, all of which are essential criteria for GDPR compliance,” he said.
“In addition, nearly forty percent of respondents were worried that their organisation is not able to accurately identify and locate data. All that said, it’s not all doom and gloom. In order to address these technology challenges, the research also shows organisations are actually taking more of a proactive role in seeking outside assistance.”
“Nearly two thirds responded saying that their organisation has worked, or is currently working with, third parties to support their GDPR efforts.”
This marries with the experience of David Smith, head of GDPR technology for SAS in the UK and Ireland. His organisation has seen a lot more urgency in the market as the deadline of May 2018 for compliance draws nearer.
“Over the last year, a lot of consulting has gone, on as companies get advisers in to write scoping documents to help them quantify the problem. But now it’s the time to do the hard yards and actually put the systems in place that will meet the requirements,” he said.
“That involves getting empirical evidence to find out where data is stored. For example, there are companies that are examining the data in their database to see if it’s labelled correctly. Personal data that is covered by the GDPR can’t be treated like other kinds of data and that’s fine if it’s labelled correctly and can be safeguarded, but not if its mislabelled, for example.”
Being able to identify data, sort it by type and crucially, find out if it is not what it seems, is an important part of this. A real issue is that there are a lot of companies that did not create their data storage systems with a view to GDPR compliance.
As a result, they now have to go back and somehow make that data compliant – that’s not an easy thing to do.
“Applying encryption to your databases is the first thing. Then putting things like obfuscation and encryption to the front end so that people who don’t need to see the raw data see it through a window of encryption. They only see the last four digits of a credit card number, for example, because a transliteration filter has been applied to it,” said Smith.
“GDPR is going to be very important to consumers. In Ireland, 73% of people we surveyed said they welcomed the right to access their personal data and a lot of them will request access to it. Companies need to be ready for that.”
As of right now, a big question for many observers of the market is how will GDPR compliance be enforced? Regulators have been appointed all over Europe and many people are wondering if these regulators will take a carrot or stick approach to dealing to companies that are not compliant.
Will they take high profile cases to court with the goal of extract the maximum fines for non-compliance to make a point, or will they quietly settle cases and give companies a chance to get their houses in order?
“Quite a few of the individual regulators, such as the Spanish regulator for example, are apparently self-funding. So they may ‘fine to survive.’ There was a recent announcement from the Information Commissioner’s office (UK) saying that they’d been allowed to employ more people and pay them better – that implies its getting ready to handle an increased work load.”
“So, if you’re underprepared, you need to focus on where your biggest risks are. Are you at risk of losing data through a breach? Could somebody inside or outside your organisation make off with your data?”
“Are you ready for a data subject access request? That can be very time consuming to handle.”