Turnkey recently held a roundtable event to look at how different organisations are currently preparing. The overall conclusion? Not surprisingly, it’s complicated. But in reaching this verdict, the conversation gave rise to interesting and useful insight.
Defining personal information
It was unanimously agreed that that the first step to all compliance efforts is to establish what personal data is held where within each organisation.
Previous data protection has used the broad definition that this is anything that can identify an individual. The GDPR adds the specifics of cookies and IP addresses, issues that have not previously needed to be considered.
One option is to treat any data as personal until it is clear that it isn’t. Alternatively the question can be redefined as deciding what customer data to keep, although this requires assumptions to be made which can be risky.
However, in reality there can be multiple definitions and a piecemeal approach across the different projects, departments and locations of an organisation. Equally there is often a cultural difference between the IT team, to whom something either is or it isn’t personal data, and the legal department where there are more grey areas.
What are people worried about when defining personal data?
- Making assumptions on what data to keep because the whole picture isn’t clear isn’t a comfortable position to be in.
- The multiple definitions add additional complexity; for example, can a name and email be kept for workflow processes? Can bank details be retained?
Lessons learned to date:
- Any solution needs to take into account that, because interpretations can differ across departments and specialisms, definitions of personal data must be clearly spelled out.
- One workable approach is to focus on mitigating exposure to the risk; in other words to take a risk-based approach to non-compliance.
Preparation and advance planning
A key concern raised by multiple attendees was the lack of guidance so far provided by the Article 29 Working Party and its impact on preparation and planning. While clarity on a number of topics is expected in due course, there is concern that it will be issued too late for any subsequent recommendations to be implemented.
It’s also a given that advice usually changes with hindsight (…) This adds further weight to the challenge of what enterprises should be doing now.
It’s also a given that advice usually changes with hindsight; in five years it is highly likely that recommendations for complying with GDPR will be very different. This adds further weight to the challenge of what enterprises should be doing now.
And while the legal teams at the top of an organisation may focus on GDPR, there is no guarantee it will be a priority for the IT team.
On a more positive note, GDPR as a market imperative remains a growing topic of discussion. While the task of mapping all personal data and reviewing its use and security may seem initially overwhelming and burdensome, it can also be viewed as an opportunity to recognise the benefits of adopting robust data protection. Where organisations had previously associated information with the mantra ‘the more the better’, many are now becoming conscious of the need to limit data flow to satisfy individuals awareness of their data privacy rights and maintain a state of both compliance and transparency.
What are people worried about when planning for GDPR?
- Uncertainty: GDPR is viewed as a ‘moveable feast’, with the unknowns making it difficult to offer advice or know exactly how to prepare for it.
- In terms of what ‘good’ looks like from a legal perspective, there often isn’t the lead-time to get to that point. As a result a lot of tasks that it is generally accepted need to be done are completed, but without getting anywhere near compliance.
Lessons learned to date:
- It’s important to acknowledge that organisations hoard data; GDPR will challenge how much of that is required.
- Responses to handling GDPR must guard against being overly bureaucratic and prescriptive; it’s important to balance encryption with performance by ensuring that business critical data is available.
Data retention and deletion
An organisation needs to know what personal data it has before it can take decisions about what to delete. This is straightforward for structured company data, although the issue of back-ups needs to be considered; how much information is held and is it readily accessible, for example. However it becomes almost impossible for the unstructured data (such as spreadsheets containing lists of prospects) that may be held outside company networks. Requesting that teams delete this information goes against their objective of business development.
Archiving data raises further questions. Currently, when a member of staff leaves for example, the SAP HR module strips the personal record of information that is no longer relevant, such as bank account details for salary payments, and retains only the details required to for a future pension payout, before archiving it. GDPR may prompt a redefinition of archive and data retentions requirements.
In terms of retaining data and for how long, policies will need to be reviewed and possibly rewritten but at the minute it is difficult to know what will constitute reasonable time periods. All activity around deleting data must be carefully considered to ensure the business has what it needs to operate.
What are people worried about when deciding which data to keep and what to delete?
- Unstructured data is a big issue: its nature means it is not necessarily visible and it is a key business development tool.
- Multiple regulators with multiple requirements add further complexity and uncertainty.
- Companies can be audited at any time without warning, and what is compliant in one country may not be in another.
Lessons learned to date:
- Compliance can be costly. Taking the miss-selling of PPI as an example, an organisation’s data retention policy will enable it to put right past mistakes, something which is likely to play an increasingly important part of regulation.
- Companies polices stating that employees must remove a certain type of corporate data from their personal systems do not make the organisation compliant. It needs to be confirmed that the data was removed, for example by ensuring employees delete emails after a fixed period of time.
Continue reading in Part 2: Richard Hunt shares his insights on privacy, what GDPR will mean for business operations, the penalties for non-compliance and recommendations for the months ahead.