Within the next twelve months (May ’18), organizations impacted by the EU’s General Data Privacy Regulation (“GDPR”) will be under a new level of scrutiny as enforcement of the regulation takes effect.
The GDPR applies to private sector organizations which process the personal data of data subjects based in the EU. With maximum non-compliance fines of the higher of €20m and 4% of the organization's worldwide turnover, global organizations and US-based companies marketing their goods and services to data subjects of EU member states are also subject to this regulation, and should be taking this seriously.
The GDPR has expanded the definition of personal data to include additional data types, and require organizations to maintain records of processing activities (Art.30). Further, organizations must be able to demonstrate that processing is performed in accordance with the GDPR (Art.24.1).
Where does one begin?
It starts with the data
Obtaining an evergreen knowledge base of how your organization handles personal data as defined by the GDPR is the MO. Organizations should start with data re-classification in light of the broader definition of personal data, discovering where this data resides, and understanding how this data is used.
In the past, your organization may have spent a significant amount of money and FTE time to paint this picture; however, if asked, how confident are you with the accuracy and completeness of your picture today, how would you respond?
As an example, when EU data subjects exercise their right to be forgotten, organizations must know not only where their personal data resides, but also how to remove or pseudonymize the specific data to a degree of completeness which complies with the GDPR, as well as by means that do not impact downstream systems.
By this example, three dimensions of your data you will be required to know are:
- What type and classification;
- Where it resides; and
- How this data is being handled.
In our experience, understanding how this data is handled is where most begin to lose confidence; not surprisingly, it is also the most labor intensive and expensive to achieve.
IOR Insight is a critical tool for sustainable and continuous compliance. It supplies the dynamic and practical visibility needed by organizations and their Data Protection Officers to respond to the demands of GDPR.
An approach to GDPR compliance with IOR Insight
We’ve outlined a few tactical steps for leveraging IOR Insight to discover, classify, and understand how your data is used. This is one way you can efficiently get the information you need to plan for how your organization will respond to GDPR.
- Develop and maintain a formal recognition of data types that fall under the definition of personal data by leveraging the IOR Insight platform’s out-of-box GDPR data set
- If you’ve already scanned for personal data using the low-level scanning tools, import that information into IOR Insight using our flexible integration connector so that data classification and other data associations can be managed in an organized and efficient manner
- Leverage IOR Insight’s Survey Manager to rapidly identify how your organization collects and processes GDPR in-scope data
- Let IOR Insight generate data flow visuals as well as automatic cross-referencing all related information to understand metrics and associations of data usage
- Add additional documentation and refinements to in-scope business processes in the Data Flow Manager to fine-tune understanding and clarify activities for later planning and auditing.
The next steps depend on your team’s priorities. If you need to develop retention requirements and storage limitations, you now have the business purpose associated with data and other attributes needed to complete that activity. If you want to track and manage risk remediation activities, IOR Insight can produce actionable and detailed data handling or control violations that can be tracked through the IOR Insight Risk Manager. Perhaps you will want to extract/import into other risk dashboards if your organization has a preferred tool for that.
Finally, you will be able to validate your organization's ability to respond to data subjects seeking to exercise their rights by leveraging the data flow analytics to understand the scope of responding to a request related to personal data and develop standard procedures for the search, modification, and removal of a record, in consideration of upstream and downstream dependencies. You’ll even be able to track opportunities for data minimization, "pseudonymisation", encryption, etc.
What map will you use to navigate the GDPR?
GDPR is a tall order, and necessitates a usable, working knowledge of your personal data processing. For organizations with limited visibility into their sensitive data processing, it will be a scramble until May 2018.
The first step in data protection is to understand where your data resides and how it is processed. The challenge is to do so in a sustainable and scalable way.
IOR Insight is prepared to be your platform to help make that possible.