The compliance deadline for the General Data Protection Regulation (GDPR)—the EU’s comprehensive data protection regulation—looms ever-closer and the world of IT is still struggling to execute a clear and defined GDPR strategy. No doubt – with over 3000 amendments since the first draft it is officially the most heavily lobbied piece of legislation ever, and the completed regulation is over 200 pages long.
Information Age has suggested nearly half of businesses are not ready for GDPR and in a recent webinar I attended only 15 percent of respondents claimed that they thought their business would be ready for go-live on May 25, 2018.
There is no doubt that businesses across the world are hitting the panic button now we’re only seven months away from the deadline – seemingly with no clear solution in sight that will solve the multiple business challenges created or exacerbated by GDPR.
So, what are the biggest challenges that businesses are currently trying to solve? From our experience, we can summarize these challenges through four questions:
Where do I keep personal and sensitive data across my vast IT infrastructure? How can I catalogue personal and sensitive data across multiple structured, semi-structured and unstructured data sources? How can I create a single view of information to easily identify all data belonging to any particular data subject? How do I maintain compliance post May 25 and will my systems cope with the new rights of data subjects?
If these challenges remain unsolved the GDPR compliance pathway quickly becomes bogged down by manual data location activities and endless repetition of effort across multiple source systems – which is both an expensive resource sink and an imperfect method of satisfying the upcoming ‘privacy by default/design’ requirement.
We shouldn’t have to resort to the person with a clipboard method when it comes to cataloging information and trying to build some sort of single view of an individual. Inefficient, manual and arduous methodologies will not result in organization-wide compliance before the deadline.
There is only one way to solve these problems – enterprise-wide adoption of smart technologies that will greatly reduce the inefficient time sink created by manual auditing.
If I can use software to solve the four challenges mentioned above I can better coordinate my resources in ensuring that all data is processed in-line with GDPR, instead of worrying that I can’t find and organize personal and sensitive data in the first place.
Thankfully there is technology out there which can help, and data discovery technology is the best fit due to its flexibility and capabilities around finding, cataloging and organizing data.
Below I’ve set out four areas where I think data discovery software can greatly improve your GDPR compliance strategy.
Finding out where data is held. The first step to compliance is finding out what personal and sensitive data is held and where exactly that data can be found. This can be wide-ranging – from your operational systems to customer testimonials to marketing mailing lists to customer complaints and everything in between.
This information is found in structured databases, semi-structured XML files, unstructured file systems on individual workstations, cloud-based file systems – you name it, you need to check if there is personal or sensitive data in those systems. Indeed, 80 percent of all organizational data is unstructured if you believe the statistics!
Finding out where information is held can be easy in some systems, but finding me how many John Smiths I have across 3000 private file directories on separate workstations is going to take me a long time if I’m using a clipboard and ball-point pen.
Thankfully data discovery software can take all information – from databases, XML files, file directories, the lot – and search against it simultaneously, instantly finding me every mention of John Smith across my thousands of previously siloed data sources. No more clipboard required!
Cataloging personal and sensitive data across structured, semi-structured and unstructured sources. Though finding the information is probably the biggest challenge for businesses at the moment, cataloguing the information after it has been found can be just as hard.
I will never be able to build up a clear picture of my personal and sensitive data without a clear information cataloguing strategy.
Trawling through each system to find out where I keep IP addresses, who owns the IP address, what I’m using it for and what the legal basis for processing it is WITHOUT some sort of automatic metadata cataloging process is going to take weeks of effort, weeks that are quickly running out.
Modern data discovery software includes comprehensive metadata cataloging to help identify what data is held where, why, by whom, and for what reason. Smart business rules and regular expressions can extract structure from unstructured and semi-structured data sources, to help automatically build a ‘big picture’ of personal and sensitive metadata.
So instead of just finding out whose data is held where, I can now find out what types of data are held where. If only there was a way to combine this…
Creating a single view of information through creating a single view of information. Experian states that “89 percent of organizations continue to face difficulties in achieving a single customer view.”
This is largely due to a systemic complexity across multiple systems that software has so far struggled to solve. When including semi-structured and unstructured data as well the dream of a unified single view can very quickly start resembling a nightmare.
The reason is simple – relational databases and unstructured data sources do not play nicely, and no amount of tweaking and changing will make legacy back-ends handle unstructured data as well as a more modern approach.
This problem is further exacerbated by GDPR. It’s quite hard to argue that any approach that does NOT create a single customer view is going to make it easy for customer service personnel to respond to subject access requests, data portability requests, the right to be forgotten, etc.
Alternative architectures have been tried and tested to try and solve the unification problem in terms of creating that mythical ‘single customer view’ that only 11 percent of organizations claim they have successfully done.
An architecture which includes modern data discovery software can quite easily create that single view. By storing all files in a unified ‘index’ format the challenges posed by joining different data from different file types and different data sources is easily overcome.
This allows a comprehensive single view of information to be built across the entire organization, achieved through combining data discovered across siloed systems with the metadata information catalog.
Once you have that single view of information, any user query and easily navigate from one entity to another without having to be concerned about logging into multiple systems and re-establishing the context of the search based on system configuration.
Putting it all in the same place and showing it in the same format provides a powerful resource for maintaining information security and establishing what data is being processed, whose data it is, why it is being processed and by whom. In addition to finding how much John Smith data I have, I should now have a full visual history of each John Smith’s interactions with my organization from day one to the present day.
Maintaining compliance post May 25. Assuming we can reach a point where we are somewhat compliant by May 25th without using any smart software or GDPR solution, the question of how do I maintain compliance still remains unanswered.
GDPR establishes loads of rights for individuals – the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and rights in relation to automated decision making and profiling.
The significant part of establishing compliance prior to May 25 is ensuring that after go-live each of these rights have a clearly defined business process from request to response.
This one’s pretty simple from a technological perspective. If I have all my data in the same place and viewed through a single interface it will greatly empower my ability to respond to a data portability request, a subject access request, an erasure request, etc.
GDPR solutions built on data discovery software can contain additional reports, portals and data capture forms to help customer service teams respond to these requests in an efficient and simple manner.
There is no silver bullet for GDPR. Every solution is only going to work with enterprise-wide adoption and conformity, with each and every employee educated on their responsibilities in regards to GDPR and what they can and can’t do.
Despite this, data discovery software will help enormously. Without it, you won’t find the weaknesses in your strategy until you receive your first data portability request on May 25.
Chris Lewis is a technical evangelist at Connexica. Connexica can help with expertise and industry-leading data discovery software when it comes to GDPR compliance.