If you are reading this you have heard of the General Data Protection Regulation (GDPR) and are concerned whether it applies to you. Since it applies to all European Union citizens, no matter where they are located in the world, it is very likely that it does. The question of enforceability, especially if you don’t have an EU presence, is a different issue. But most multi-national companies are following the requirements down to their supply chain, so if you are not compliant, you may find business opportunities drying up.
The first step to compliance is to understand your data. You need to do an exercise called data mapping. Data mapping for GDPR is not the same as matching up database schemes. It is more like a data inventory and it is a fundamental requirement for your privacy compliance strategy. How can you protect something if you don’t know that you have it? In data mapping, you act as a journalist, analyzing your data flows, and answering the five W’s of reporting; Who, What, Where, When, and Why. Data mapping can benefit your business in other ways too, such as identifying key data sources, eliminating duplicate data stores, and consolidating data to provide for a smarter use. The healthcare industry went through similar efforts fifteen years ago with the advent of HIPAA.
You need to know whose data you collect or use, who in your organization uses it, who has access to it, and who is responsible for it while it is under your control.
Look at the data elements you collect and store. This is an opportunity to eliminate needless data. Is your marketing department ever going to do a fax based campaign again? So, get rid of those fax numbers. Superfluous data costs time and money to store, keep track of, and maintain. It also increases your risk of accidental disclosure. The GDPR does not distinguish between data people really care about, such as social security numbers and archaic data like old fax numbers. A disclosure of either carries the same fine!
This answers where the data is stored or moved. Did you know you really had that many databases? Not only the server based databases, don’t forget the desktop versions as well. If it is standard practice for your reporting department to provide data dumps in an Excel file, you need to consider other methods. Those files end up on USB sticks to take home for the weekend and the sticks are accidentally dropped at the kid’s soccer game on Saturday. Consolidate your data and consider providing access for a limited timeframe. And remember to account for your data backups. As backup data ages, it tends to migrate to less accessed and monitored storage, where it can become vulnerable to attack. Now that you moved to the cloud and have hot redundancy in two datacenters, are you ever going to recover from your five years old backups?
You need to identify when the data is collected, when is it used within your organization, when is it transferred to another entity, when is backed up, and when is it destroyed. By understanding the timelines with your data, you can understand which data is fresh and is more valuable to your organization. If you only use the data in the first two weeks you get it, keeping it around forever only increases your risk of accidental disclosure. Get rid of it or depersonalize it so it is safe to keep.
You will understand why you collect this data, what you do with it, why it is important to you. The GDPR has clarified the definition of personal data to include anything traceable back to an individual, so everything from IP addresses to license plate numbers are included. So, if your ecommerce site collects IP addresses, you need to ask what are you going to do with them.
As a final note, you don’t necessarily need to go down to nth detail in your data mapping. All modern quality and compliance programs incorporate risk assessment and management as a fundamental aspect. Using your risk management process can guide you with the depth of your data mapping. Not all data is equal, so don’t treat it as such.
Questions? Contact Optimal IdM today.