By Yves Le Roux, CISSP, CISM, Co-Chair, Europe, Middle East and Africa Advisory Council (EAC)
Recently our GDPR Task Force has found that despite efforts to prepare for the incoming regulation, many practitioners are finding that there is actually a lot more to do than originally anticipated, and are still in “discovery mode” about what data they hold. Data being fragmented and contained within individual business units means that knowing where data sets reside and mapping their flow is proving challenging.
Businesses have just realised the mammoth task ahead of them
Many businesses are still stuck in the initial stages of establishing their inventories of information, or not yet having support from the board and business units of their organisations, meaning that they are running out of time to prepare for next year.
What makes this even more challenging is that the official guidance put in place to help is confusing the whole situation. Data Protection Impact Assessments (DPIA) will be mandatory but has no clearly defined expectations, and the same is true for the role of the Data Protection Officer. In the case of children for example, the DPIA states that “Children can be considered as not able to knowingly and thoughtfully oppose or consent to the processing of their data,” however the age of majority differs per country, making this difficult to define and implement across several different countries.
The sheer scale of the operation is suddenly being realised when it was previously underestimated. One medium sized business that the Task Force is aware of now has 37 full-time employees to assess the flow of all data from the organisation, and understand the personal data held, where it comes from, who it is shared with, the legal basis for fair processing, and the process for access requests.
One interesting thing to note is that the majority of data companies tend to have is “dark data,” which is data whose value has not yet been identified. Organisations are having to undergo these new checks and ensure they’re aligned to new processes with stored data, where much of it doesn’t have a direct use.
Best opportunity to do things properly
While the processes of GDPR are often discussed as being a hindrance, they can actually open up opportunities for both the business. GDPR should stop being seen as a compliance issue, and we should start seeing it for what it really is – the opportunity for businesses to clean their data. Removing the “dark data” means that there is less to back up, less to store, and less cost.
The problematic ways of working can be eliminated along with the risks. If ad hoc Excel documents are no longer kept on a laptop, an employee losing it is not a problem. Marketing departments can also carry out targeted engagement rather than trying to convert a huge database of possible leads – which makes them the people with one of the biggest incentives to implement GDPR.
In addition, with Subject Access Requests (SAR) now being free of charge, and there being no limit to how many people can ask to know what information is held about them, companies could potentially have a huge task added to their everyday operations. However, this is an opportunity for businesses to show their customers how much they care about the management of customer data.
While many businesses are only at the beginning of the journey of preparing for GDPR, treating it like a planned project is helping many organisations to pick up the pace. GDPR is an opportunity to demonstrate that the investment made can make an impact, which opens doors for not just the business, but also the IT practitioner that is making it happen.