The missing link in GDPR compliance
A lot of water has run under the bridge since 2018, when we were introduced to the new rules of how companies should stay compliant in relation to personal data. GDPR access control via systems is still one of the most important areas to focus on for businesses to succeed at their sensitive data management today.
Data protection for GDPR compliance
Since 2018, many companies and software vendors have had time to adapt to the 7 principles of GDPR. By adapting to these 7 principles, one will end up with a data policy, and the corresponding processes to handle what is “feasible” for most companies and organizations.
While companies adapt their data governance around these 7 principles, some software vendors have developed processes that companies should use to be compliant, covering different cases where you have to take actions in relation to GDPR. We call these GDPR compliance systems. The objective of these is to make the handling of personal information easier and more comprehensive in core business systems like CRMs, ERPs, HR/HCMs.
The most serious vendors have advanced a lot in this aspect, however mostly as long as data is already structured and traceable, meaning that it is already in an Excel file and not just a random document hidden in an email system. Something most companies could handle in emerging situations. But, is this good enough?
Compliance for both structured and unstructured data
If data was only in a structured form – yes. Still, inside companies and organizations it rarely is. Data is messy, because we humans are messy in the way we work, in regard to data structure. However, this creates unique value in daily business life; what each individual is doing with data is what creates uniqueness and individual business value. We do not want to prevent, nor stop, this, because it represents a lot of value.
What is structured data, unstructured data and semi-structured data, you might ask? If you are wanting to learn more about this, then here is an answer for you. Generally speaking, structured data is formatted into a tabular form or similar, while unstructured is not, such as an image. Semi-structured data is what might be a little of both, such as a piece of coding.
Those who track how data is developing in companies and organizations (IDC, Gartner, etc.) present the challenge very visually, and their findings show that structured data is growing linearly, while unstructured data is growing exponentially, or out of control, each year as a sort of data explosion.
Inside your core systems, your data is under control – it is structured and traceable. And staying compliant with GDPR is manageable by establishing a Data Policy and stay accountable to it. Todays challenge is outside your core systems – in unstructured data, the largest bulk of your company’s data. If not taken care of – it will represent a large risk in relation to compliance and the future reputation of your company.
Who should care about this risk?
Obviously, the key person to care about the reputation of a company is the CEO and the board. Still, it is too much to ask for from a CEO, to have her/his fingers on everything in a company. No CEOs have the bandwidth to handle the reputational threat that is unstructured data.
So, to make it scalable, most companies establish positions inside risk and compliance units. The position that should care the most is the Data Protection Officer, whose role is to make the “risk situation” visual to the CEO and the board in such a way that they can “take action”.
The risks
When getting a good view of the risk situation, it is feasible to take actions to minimize the risk. There are many examples of risk triggers, such as:
- The sales unit is not respecting the data policy in regards of how to handle personal numbers, credit cards, id`s from customers or business partners.
- Managers storing sick leave information in mail folders, file folders
- Managers storing employee information outside the HR system.
- Recruiters storing CVs outside the HR system.
These examples we find in all companies and organizations, yet it could easily be kept in control, by taking action; that is, if you had a tool to get the full picture of the situation.
Take action
There are many ways in which you can take action to better the risk and stay compliant. Here are a 4 ways to manage internal compliance with GDPR compliance control systems:
- Conduct a "clean up" of personal information. This is a big job at first, but a small job when routines are established. This can be done every quarter.
- Send personal task to employees that do not respect the data policy. Inform them: "Your mailbox contains 22 credit cards, 2 passports and 7 sick leave notifications. It is located on this path…." It really can't get easier. This could be handled with a monthly risk assessment.
- Report to the board that CVs are not handled in a proper way and/ or that the HR unit needs GDPR training to get the “know-how” of how to handle, and where to store CVs. This can also be handled with a monthly risk assessment.
- Report to the CEO and board that managers store personal information about employees outside the data policy rules: in other words, they need training.
These 4 focus on the internal structures for compliance. Yet, externally, there are also threats in unstructured data. Here are some examples:
- One of your servers was hacked. What personal information was on that server? Who are the persons at risk? How do I report this to the authorities, and the individuals at risk? How do I do this in 72 hours?
- A customer wants to know what information is stored about them – it could be a challenge if not handled. To be compliant you have to handle this within 30 days.
- The same customer wants "to be forgotten”. How to find and delete all the data can be very time consuming. Also, how do you document that the data have been deleted?
- Someone from outside the company got access to the fileserver – what data were exposed? A report to the local data regulators should be created within 72 hours.
- Someone accidently published personal and sensitive information on the company website. What kind of data was published, and what kind of personal information was breached? A report to the local data regulators should be created within 72 hours.
The missing link to unstructured data
The GDPR are regulations that apply to all data, no matter if it is structured or unstructured. Today that seems quite impossible to do without a GDPR compliance system. How else are you going to connect to all of your data sources, read all kind of data formats, and create reports of you assessments? The missing link you need to be compliant with your unstructured data, from wishful thinking to applying it to the reality, is a compliance system.