The GDPR requirement to determine where personal data is stored, and how it is being used, is heralding a race to ensure that a coherent data strategy is in order – to avoid the significant financial implications of non-compliance.
Data of any kind is one of the most important assets any organisation holds, but a recent customer data survey by Royal Mail found that poor data quality could be costing UK businesses as much as 6% of their annual revenues. While many organisations may not yet understand why data quality is so important, implementing good data management policies now will not only improve data quality for the business, but also for customers and employees. Here are the key considerations for improving data management and quality in preparation for the GDPR…
First of all, organisations need to document what Personal Data is held, its location, source, reason for storage, length of retention, use, access rights and how it is shared, both internally and externally. To complete this task requires an information audit of existing systems that hold Personal Data as a first step towards compliance.
For larger organisations, undertaking an information audit may well present a challenge in itself, due to the complexity and sheer number of different systems and applications used to process Personal Data.
There are, however, a number of potential solutions which can help, including:
1. Traditional Information or Business Glossary, Enterprise Data Governance, Data Lineage and Metadata Management tools or services – from vendors such as ASG, Adaptive, Collibra and IBM. Most of these will scan existing applications for source metadata and bring that into a repository for further analysis and determination of data lineage between systems.
2. Metadata discovery and analysis – there are also specialist products that take this further, such as Safyr from Silwood Technology, which performs metadata discovery and analysis on complex packaged ERP or CRM solutions from vendors including SAP, Salesforce, Oracle and Microsoft.
3. Data Lake based approach – other vendors, such as Informatica have proposed a Data Lake based approach to storing Personal Data information, where one storage repository holds a vast amount of data in raw form until it is needed. Using this approach, there are likely to be requirements to profile and check the quality of Personal Data held, in order to identify where improvements to data processing procedures might be required.
Unstructured data, and privacy, consent and rights of data subjects
Gartner analysts recently reported that over 80% of the enterprise data stored by organisations is classified as unstructured, which means email, files, photographs, reports, documents and more all including some form of Personal Data that could allow the identification of data subjects.
Under the GDPR, organisations must comply with the rules regarding knowing where this information resides as well as in the context of Privacy, Consent and the Rights of Data Subjects.
Although the GDPR will make the concept of Consent by the Data Subject clearer, with pre-ticked boxes, silence or inactivity by the Data Subject is no longer considered as consent to processing Personal Data. Data Subjects must be informed about use of their data upon consent, and many systems may need reengineering or enhancing to satisfy the need to record when and how consent was granted. And, if consent is withheld, the reasons for that must also be noted; a critical element to halting the processing of Personal Data when consent has been withdrawn, and important when demonstrating compliance.
In addition to recording Data Subjects’ Privacy and Consent documentation, organisations will also need to ensure that all of their existing customer or employee facing systems are updated. This includes revisions to cater for those additional requirements, along with ensuring that the work has been completed and approved afterwards.
Oragnisations will also need to comply with the Rights of the Data Subjects, so if a consumer requests any information on data held about them, a Data Controller needs to be in place, ready to respond to requests both quickly, accurately and, perhaps most importantly, comprehensively. In the case of the Right to Rectification and the Right to Erasure, the Data Controller would need to forward the request to other Data Processors with whom that Personal Data has been shared, along with ensuring that request has been met internally.
The Data Subject also has the Right to Data Portability, where he or she gets any information concerning him or her that was given to the company, or is being held by that organisation, in a commonly-used, structured and machine-readable format, for their own purposes. The cost and effort required to fulfil this Right may be considerable, unless an information glossary or other appropriate process is in place to support such requests, in particular where unstructured data is to be included.
Benefits of good data strategies
The benefits of improving your business’ reputation and building your brand awareness by having transparent, effective and trustworthy data strategies in place are clear, not least financially, but being compliant with the GDPR is also very likely to increase your customer loyalty too.
A surveyed in more than 30+ industry sectors, had 76% of respondents confirming that they would be more likely to seek alternative suppliers if they become aware of any of their suppliers having ineffective data processing and security procedures.
Reduce the costs of poor data quality and ineffective management now
Getting your data strategy in order now should be a priority, and here are the seven things you really need to consider sooner, rather than later:
- Read all of the relevant legislation or identify trusted sources of information about the GDPR to find out exactly how it might/will apply to your business, and your organisation in particular.
- Gain executive sponsorship for a compliance program and raise corporate awareness of the importance of both data and data management for GDPR.
- Appoint Data Controllers and Data Protection Officers as necessary.
- Ensure that changes to Data Privacy and Consent policies are implemented and documented. The Privacy notice should include the lawful basis for your processing activities. It is also critical to ensure that the appropriate consent has been obtained for minors, so that any processing of Personal Data for children under the age of 13 is legal.
- Undertake an information audit and ensure that processes are in place to cover all of the Rights of Data Subjects .
- Ensure that procedures are in place to detect data breaches and to notify the relevant authorities as well as Data Subjects affected in a timely fashion if any are found.
- Assess when and how to introduce Data Protection Impact assessments.
By Roland Bullivant, Sales Director, Silwood Technology Limited
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/