Taking the wrong approach to GDPR compliance
Data management is about to get even harder.
The General Data Protection Regulation, the EU’s new comprehensive privacy regulation will enable individuals to have their data deleted, moved, or produced upon request. While this is a groundbreaking step for individual data privacy rights, the regulation’s steep demands coupled with fines of up to 4 percent of global annual turnover put organizations in a compromised position in which their management of data assets can be dictated by third parties.
There is also the potential for mass misuse of these new rights.
For instance, consider the mishap a dissatisfied celebrity with a large following could cause by compelling their social media followers to ask an organization to delete all their personal data. This organization could be faced with the task of having to identify and delete data for hundreds or even thousands of data subjects in a short period of time.
There are also lingering questions about whether companies could somehow weaponize GDPR against their competitors in a similar fashion through affecting an influx of subject access requests with the goal of disrupting business operations.
Such uncertainties, among others, will have to be addressed by the regulators, but currently many problematic questions yet remain with regards to how GDPR will be enforced.
Preparing for May
As a means of ensuring compliance with GDPR once it goes into effect this May, many organizations are now trying to set in place processes and technologies that will allow them to locate, produce, and delete data when requested. The issue with the approaches being taken, however, is that they’re reactive.
Due to the large volumes of requests companies are likely to receive, the stringent timeframes for responding, and the potentially massive fines, organizations will likely have to scramble to respond to data subjects’ requests. Many organizations have little understanding of how data is being used because it’s not properly governed, and therefore cannot defensibly justify its use.
The truth is, while many solutions will claim to help find personal data, that is just one step in a process that is much more complicated than most realize. These solutions likely won’t enable organizations to bridge across all data types, formats, locations, modes of management, and functions.
Are organizations going to search each data silo individually? Once they find the data, then what? Can they delete data with confidence knowing that it’s not being used for other legal, regulatory or business purposes? There will be a dynamic hierarchy dictating which of the various data functions take precedence when they conflict, and reconciling them will be exceptionally difficult if each function is managed in isolation.
Furthermore, if data is not classified, users will have to make real-time decisions on what data can be deleted, which may be near-impossible given the tight windows, the lack of insight into how data is being used across the enterprise, and no way of controlling it all in synergy.
Without true understanding and governance over their data, companies will be put in a compromised position in which power over how they manage data assets is transferred to the data subject. When overloaded with a mountain of subject requests, and data yet to be classified based on its purpose to the company, what choice will employees tasked with servicing such requests have other than to simply comply with them?
The road not taken
An ideal approach will be one in which organizations can proactively classify, govern and search all unstructured enterprise data from a single location. In such a system, data is assigned a lifecycle management policy based on how and why it is being used, enabling organizations to defensibly justify and demonstrate its use to a data subject or supervisory authority. These types of granular controls have traditionally only been applied to traditional records, and thus few platforms are capable of applying them across the entirety of enterprise data.
When properly deployed, however, organizations embracing this holistic approach find a wealth of benefits: One singular search bridges all data silos, which means no scrambling to find which systems an individual has personal data in. Deduplication simplifies data remediation, and helps ensure data is never deleted when it needs to be kept or vice versa. And finally, records management, eDiscovery, compliance and analytics are all executed within the same platform and with a single data set, so that policies from each of these functions can be seamlessly managed in synergy.
As the number of functions for data grow, so do the number of data silos across today’s enterprises. Even now the complexity of managing these silos individually tests the limits of traditional strategies. For companies wishing to address the fundamental issues underlying such strategies, perhaps it’s time we rethink the rules of information management.