The GDPR (General Data Protection Regulation) deadline for readiness looms ever-closer and the world of IT is still struggling to execute a clear and defined GDPR strategy. No doubt – with over 3000 amendments since the first draft it is officially the ‘most heavily lobbied piece of legislation ever’, and the completed regulation is over 200 pages long.
Information Age have suggested nearly half of businesses are not ready for GDPR and in a recent webinar I attended only 15% of respondents claimed that they thought their business would be ready for ‘go-live’ on May 25th 2018.
There is no doubt that businesses across the world are hitting the panic button now we’re only 7 months away from the deadline – seemingly with no clear solution in sight that will solve the multiple business challenges created or exacerbated by GDPR.
So, what are the biggest challenges that businesses are currently trying to solve? From our experience, we can summarise these challenges through four questions:
1. Where do I keep personal and sensitive data across my vast IT infrastructure?
2. How can I catalogue personal and sensitive data across multiple structured, semi-structured and unstructured data sources?
3. How can I create a single view of information to easily identify all data belonging to any particular data subject?
4. How do I maintain readiness post May 25th and will my systems cope with the new rights of data subjects?
If these challenges remain unsolved the GDPR readiness pathway quickly becomes bogged down by manual data location activities and endless repetition of effort across multiple source systems – which is both an expensive resource sink and an imperfect method of satisfying the upcoming ‘privacy by default/design’ requirement.
We shouldn’t have to resort to the ‘person with a clipboard’ method when it comes to cataloguing information and trying to build some sort of single view of an individual. Inefficient, manual and arduous methodologies will not result in organisation-wide readiness before the deadline.
There is only one way to solve these problems – enterprise-wide adoption of smart technologies that will greatly reduce the inefficient time sink created by manual auditing.
If I can use software to solve the four challenges mentioned above I can better coordinate my resources in ensuring that all data is processed in-line with GDPR, instead of worrying that I can’t find and organise personal and sensitive data in the first place.
Thankfully there is technology out there which can help, and data discovery technology is the best fit due to its flexibility and capabilities around finding, cataloguing and organising data.
Below I’ve set out four areas where I think data discovery software can greatly improve your GDPR readiness strategy.
1. Finding out where data is held
The first step to readiness is finding out what personal and sensitive data is held and where exactly that data can be found. This can be wide-ranging – from your operational systems to customer testimonials to marketing mailing lists to customer complaints and everything in between.
This information is found in structured databases, semi-structured XML files, unstructured file systems on individual workstations, cloud-based file systems – you name it, you need to check if there is personal or sensitive data in those systems. Indeed, 80% of all organisational data is unstructured if you believe the statistics!
Finding out where information is held can be easy in some systems, but finding me how many John Smiths I have across 3000 private file directories on separate workstations is going to take me a long time if I’m using a clipboard and ball-point pen.
Thankfully data discovery software can take all information – from databases, XML files, file directories, the lot – and search against it simultaneously, instantly finding me every mention of John Smith across my thousands of previously siloed data sources. No more clipboard required!
2. Cataloguing personal and sensitive data across structured, semi-structured and unstructured sources
Though finding the information is probably the biggest challenge for businesses at the moment, cataloguing the information after it has been found can be just as hard.
I will never be able to build up a clear picture of my personal and sensitive data without a clear information cataloguing strategy.
Trawling through each system to find out where I keep IP addresses, who owns the IP address, what I’m using it for and what the legal basis for processing it is WITHOUT some sort of automatic metadata cataloguing process is going to take weeks of effort. Weeks that are quickly running out…
Modern data discovery software includes comprehensive metadata cataloguing to help identify what data is held where, why, by whom, and for what reason. Smart business rules and regular expressions can extract structure from unstructured and semi-structured data sources, to help automatically build a ‘big picture’ of personal and sensitive metadata.
So instead of just finding out whose data is held where, I can now find out what types of data are held where. If only there was a way to combine this…
3. Creating a single view of information
…through creating a single view of information?
Experian state that “89% of organisations continue to face difficulties in achieving a single customer view”.
This is largely due to a systemic complexity across multiple systems that software has so far struggled to solve. When including semi-structured and unstructured data as well the dream of a unified single view can very quickly start resembling a nightmare.
The reason is simple – relational databases and unstructured data sources do not play nicely, and no amount of tweaking and changing will make legacy back-ends handle unstructured data as well as a more modern approach.
This problem is further exacerbated by GDPR. It’s quite hard to argue that any approach that does NOT create a single customer view is going to make it easy for customer service personnel to respond to subject access requests, data portability requests, the right to be forgotten, etc.
Alternative architectures have been tried and tested to try and solve the unification problem in terms of creating that mythical ‘single customer view’ that only 11% of organisations claim they have successfully done.
An architecture which includes modern data discovery software can quite easily create that single view. By storing all files in a unified ‘index’ format the challenges posed by joining different data from different file types and different data sources is easily overcome.
This allows a comprehensive single view of information to be built across the entire organisation, achieved through combining data discovered across siloed systems with the metadata information catalogue.
Once you have that single view of information, any user can make an enquiry and easily navigate from one entity to another without having to be concerned about logging into multiple systems and re-establishing the context of the search based on system configuration.
Putting it all in the same place and showing it in the same format provides a powerful resource for maintaining information security and establishing what data is being processed, whose data it is, why it is being processed and by whom. In addition to finding how much John Smith data I have, I should now have a full visual history of each John Smith’s interactions with my organisation from day one to the present day.
4. Maintaining readiness post May 25th
Assuming we can reach a point where we are somewhat ready by May 25th without using any smart software or GDPR solution, the question of how do I maintain readiness still remains unanswered.
GDPR establishes loads of rights for individuals – the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and rights in relation to automated decision making and profiling.
The significant part of establishing readiness prior to May 25th is ensuring that after go-live each of these ‘rights’ have a clearly defined business process from request to response.
This one’s pretty simple from a technological perspective – if I have all my data in the same place and viewed through a single interface it will greatly empower my ability to respond to a data portability request, a subject access request, an erasure request, etc.
GDPR solutions built on data discovery software can contain additional reports, portals and data capture forms to help customer service teams respond to these requests in an efficient and simple manner.
There is no silver bullet for GDPR. Every solution is only going to work with enterprise-wide adoption and conformity, with each and every employee educated on their responsibilities in regards to GDPR and what they can and can’t do.
Despite this, data discovery software will help enormously. Without it, you won’t find the weaknesses in your strategy until you receive your first data portability request on May 25th!