Welcome to our second post exploring the survey we conducted with several large enterprises on their plans related to compliance with the EU's General Data Protection Regulation (GDPR). We've been hearing that some people believe the hype around GDPR to be reminiscent what happened with Y2K.
Is GDPR like Y2K in that organizations will be so prepared that it is a non-event? We don't think so. Unlike Y2K, this isn't a binary problem with date handling. It is much more complex and less prescriptive in terms of where the problems and risks lie.
Last time, we explored some of the attitudes coloring organizational approaches to compliance. This week, we’ll be taking a look at some of the specific mandates and what organizations are doing to prepare.
What role does “defensible” disposition of redundant, obsolete, or trivial data (ROT) play in GDPR implementation?
This question provided a little more variability with one customer noting they saw little relationship due to the fact that by simply following your retention schedule, the records will be disposed of on a systematic basis.
If that retention schedule is not promulgated across the entire organization however, the story becomes a bit different. Below, a respondent outlines how the Right to be Forgotten can make managing ROT sticky:
Disposition of ROT plays a big part, especially as it relates to the Right to be Forgotten which empowers individuals to control their own identity and information in systems. If an individual no longer wants his or her personal data to be processed or stored and if there is no legitimate reason for keeping it, the data should be removed from their system.
This is a key point to note, as personal information can take many forms and be stored in multiple locations. Your approach needs to extend far beyond any records centers you maintain if you want to be truly secure.
Another interviewee had this to say: "On GDPR, we looked at data collected, which are needed and which no longer need to be retained. Also, we examined which employees will have access to view these documents and records, and the security around access."
Do you expect GDPR to affect your record retention times? Other recordkeeping considerations?
As you would expect, this question drew some of our longer responses. Because GDPR is a change from the way companies may be managing personal information, there are some major challenges to be tackled.
Echoing another customer’s response to the previous question, one customer says: "The hardest requirement of GDPR for us is implementing the 'Right to be Forgotten.' We need to make sure that we erase everything and have the ability to document that we’ve done it. You have to show that you’ve done due diligence to demonstrate compliance."
This respondent goes on to note that their security classification structure has to undergo some change:
Currently, we have four security classifications; however, they do not match the GDPR naming conventions. We are working through it to get the right naming conventions that everyone understands. We are using consultants to make sure we get it right so we don’t have to have to do this again.
What progress have you made in understanding where personal information is being stored, managed, and collected?
Understanding the scope of this question is crucial to GDPR compliance. The ability to manage all data across the enterprise is an absolute necessity. As one customer elegantly put it:
We’ve been identifying personal data for years through data mapping and data flows as part of our process. GDPR requires it on steroids. We made many changes in systems and processes last year and will need to update data maps accordingly. […] The process used to be simpler because more was done in-house. With more work being done externally, we need more data.
And, we would add, controls around how that data flows internally and externally. Many of our customers are trying to handle this challenge by prioritizing, with one stating:
Some but not all of the personal data has been identified. We started by identifying critical records (highest risk, highest value) including those with PII [Personally Identifiable Information] and PHI [Protected Health Information]. As critical records are identified, IM folks in the business contact staff to determine where the records are retained and develop processes to protect the data. In addition, we are identifying 'business managed applications' that have been procured and/or managed by the business rather than IT.
Others are taking this opportunity to reorganize and streamline their systems such as working towards centralizing HR information. For many companies, most of their personal data is about their employees and it is important for that data to be properly handled. This not only builds trust in the organization but also provides a critical litmus test for how well the organization can protect its data.
One company did also state that although they are focusing on Europe now due to the impending GDPR deadline, this process will be rolled out globally as other countries such as China and Australia have already begun similar initiatives.
Weighing effort against reward
Recently, friend of Gimmal and Partner at Rimon Law John Isaza, Esq., FAI stated that he and other thought leaders have begun to wonder if the impact of GDPR could be reminiscent of the Y2K scare. After all, European auditors do not currently have the bandwidth to enforce compliance on the scale they desire, though admittedly they are permitted to use the sanctions to fund their compliance enforcement. A close look at the history underpinning this statement provides some excellent perspective here.
Prior to the turn of the century, Y2K caused a whole industry to grow up around updating important computer code before December 31, 1999. Because of the widespread success of this initiative, the effects of this bug turned out to have minimal impact on the daily lives of average people. But, contrary to popular belief, effects were indeed felt.
- US spy satellites were unusable for three days, in the midst of a terrorism scare in January of 2000 (source)
- Defibrillators and heart monitors across Malaysia failed (source)
- Seven nuclear reactors across the US experienced glitches in the beginning of January (source)
- Revenues for organizations such as financial institutions, race tracks, were temporarily impacted (source)
- A hasty, last minute patch grounded airplanes across the US (source)
The point here being, of course, that preparation and understanding are key to insulating your organization against the effects of GDPR and other privacy regulations. The regulatory auditors may be spread thin, but when a breach happens, all the rules change.
Just because the world isn’t ending doesn’t mean your house couldn’t crumble. If we approach GDPR implementation as a serious issue and take well-informed steps to respond to the needs imposed upon us, we can be sure to provide a solid foundation to provide the stability your organization needs to stand against any threats to its well-being.
Posted by Susan L. Cisco, Ph.D., CRM, FAI