Data Pollination: A GDPR Challenge
Stephen Cairns, Enterprise Architect, Advisory Services, Version 1
For those that do not already know the new Europe-wide General Data Protection Regulations (GDPR) took effect on the 25th of May this year.
This change effectively resulted in the data protection rules being identical throughout the EU. The new rules are applicable to any information relating to an identified or identifiable living EU data subject, and effectively take ownership of that data out of the hands of organisations holding it and into the control of the individuals the data is about. For organisations which hold data on individuals there are now an extended range of data regulations (with associated stringent penalties) which they must comply with.
When it comes to hosting GDPR compliant data, organisations typically have various data stores such as databases or other content locations (e.g. SharePoint sites) which are designed to be centrally located repositories that are well managed, secure and documented.
Data to staff however should be considered very much like pollen to a bee, it is collected and useful to their job, but in processing it, just like a bee it is not uncommon for some of it to get deposited in various unintended locations.
So why is this a problem?
To meet the rights of individuals organisations can no longer act like they own personal data, they must start acting and behaving like the custodians of this data.
To meet the rights of individuals, organisations can no longer act like they own personal data. It may be a cliché, but GDPR truly is a paradigm shift. Organisations must now act and behave like the custodians of this data. A key aspect of achieving this is to understand where GDPR compliant data is stored and to treat it with the necessary processes and procedures to safeguard it.
Organisations are typically treating this as an IT problem and bringing traditional IT approaches to meet the challenge. This usually involves mapping the Architecture of systems holding such data, tracking where data is coming in, what it travels along, where it resides and what if any other systems receive that data.
However, the interaction of GDPR compliant data with staff efficiency measures in the processing of that data often results in the data no longer being contained in just the intended data stores, but residing in further undocumented and less well managed locations. Such data is often stored in these locations in a different form or level of quality compared to the original.
Examples of this include:
• The extraction of GDPR complaint data from databases into Microsoft Excel files, which are then stored on desktop PC’s and/or uploaded and shared on internal social networking services
• Using personal devices to receive work e-mails containing GDPR data
• Adding screenshots of applications showing GDPR compliant data into ticketing tools.
The effect of GDPR can be considered as the equivalent of turning personal data into hazardous material, whilst it may be critical to your business it is extremely important to limit quantities and exposure.
Steps to address Data Pollination
The unintentional or informal spread of GDPR applicable data around an Organisation should be a real concern to many organisations. The effect of GDPR can be considered as the equivalent of turning personal data into hazardous material, whilst it may be critical to your business it is extremely important to limit quantities and exposure. It is therefore necessary to review what steps can be taken to review and address any data pollination that may be occurring within your organisation.
Understand who has access to the Data – It can be surprising how many different people and organisations have access to the data you store. For each system holding GDPR compliant data, ensure you have tracked the different teams and individuals who have access to it.
Map the Processes & Tools – Once you understand who is accessing the relevant data, you can now start to study what they are knowingly and unwittingly doing with it. This may include the use of other programs and tools such as Microsoft Excel, email and BYO devices to manipulate and review the data.
Review & Change – Review each process and tool to understand what is essential and what can be modified or stopped to reduce exposure. Ensure these changes are reinforced with new procedures and staff training.
Document – Accountability is a key principle of GDPR. Being GDPR compliant is not just about doing the right thing, there is also an onus on an organisation to prove compliance by evidencing the GDPR measures they have taken and their effectiveness when requested. To help achieve this evidential requirement, ensure all the data interaction steps you take including those listed above are captured and documented.
Finally, compliance is not something you can achieve and then walk away from, it is a continuous process. Put in place measures and processes that can effectively repeat all the above activities to ensure your organisation remains compliant through its ever evolving journey.
To learn more about GDPR and the steps you can take to facilitate your organisation’s compliance, contact Version 1.
About Version 1
Version 1 proves that IT can make a real difference to our customers’ businesses. We are trusted by global brands to deliver IT services and solutions which drive customer success. Our 1000 strong team works closely with our technology partners to provide independent advice that helps our customers navigate the rapidly changing world of IT.