Critical GDPR Considerations That No One is Talking About
In preparation for Adlib’s Not Just Another GDPR Webinar session, Duncan Bradley binge-watched 60 GDPR webinars—so that you don’t have to. (We’re pleased to report that Duncan’s caffeine jitters have finally passed, and he can safely enjoy a macchiato once again.)
We covered off Duncan’s key takeaways from those webinars in our 60 GDPR Webinars in 60 Seconds with Duncan Bradley post. If you haven’t done so already, take a minute to check it out to get up to speed on the current discourse in GDPR webinars.
Although Duncan gathered some useful insights from his GDPR webinar marathon, he noticed that a few key pieces of information were missing from the conversation. Read on for key insights into a critically important piece of GDPR that nearly every industry analyst and expert has glossed over: data subject rights (particularly the “Right to Be Forgotten”) and how best to execute on them.
What’s Missing from the GDPR Conversation
When it comes to GDPR compliance, the biggest issues are likely to come, and it’s not just from the fines that everyone is so fixated on. There are real costs associated with not recognizing the risks that come with certain data subject rights, and from not understanding how to successfully execute on these rights while establishing a strong audit trail.
A lot of the data subject rights of GDPR have an inherent problem in common: The “Right to Know,” the “Right to Have Rectification,” and the “Right to Be Forgotten” all require that a company uncover all sources of PII to identify every instance of a customer’s data that needs to be deleted or mediated.
The trouble is, most companies haven’t done a sufficient audit of their existing PII (EFSS, email, PSP, fileshares, ECM systems, etc.). Basically, it’s safe to assume that anywhere you have data, you have PII. Let’s look at one specific right, the “Right to Be Forgotten,” to understand the true nature of the potential problem.
What We’re forgetting: The Right to Be Forgotten
Take the case of the “Right to Be Forgotten.” This critical data subject right is just not receiving the attention it deserves in GDPR webinars—which is curious, considering the potential risk it poses to enterprises, and how difficult it is to operationalize.
“Today 84% of cloud services do not immediately delete customer data on termination of contract. Further, only 28% of IT and business decision makers even realize the right to be forgotten is part of GDPR.” – Accenture, GDPR: The Time to Act is Now
In particular, the Right to Be Forgotten can cause problems if your organization is unable to find every source of PII that exists across your enterprise. Consider the following scenario:
A customer submits a Right to Be Forgotten request. Your company complies and deletes all records that you can find (that are not required to be kept for legal reasons). You notify the customer that their data has been deleted.
Some time later, a data breach occurs. The subsequent in-depth security audit reveals sources of PII that your company didn’t know existed (because those sources were in the form of unstructured data that could not be searched).
Now your company has to go back to the customer and tell them: “We’ve had a breach and, unfortunately, although we told you we’d deleted your personal information, there was some that we missed and it’s now in the hands of hackers.”
This scenario isn’t all that far-fetched. And, for enterprises who find themselves in this situation, there will be significant costs and reputational damage for years to come (especially when this one scenario is multiplied by thousands of customer records). The solution to successfully executing on the Right to Be Forgotten (and many of the other data subject rights of GDPR) is two-fold:
Step #1: Complete a PII Audit
Be smart. Do a comprehensive PII audit that includes all your unstructured and structured data. And don’t assume that you’ll always find a customer’s PII in a file dedicated to them. While that is often the case, a customer’s personal data may also be contained within databases that contain millions of other sets of client information. So, you need to be able to search for and delete single entries in multi-constituent unstructured documents.
Step #2: Create an Audit Trail
If you don’t create audit trails as you remove PII, you won’t be able to prove that this information was forgotten. This means having a date and time stamp for each data deletion. If you can achieve this level of compliance, it greatly enhances the credibility of your company and its PII procedures. Luckily, file analytics as an industry has grown in leaps and bounds over the past few years. It’s now possible to crawl numerous systems filled with unstructured data and uncover all the PII present. The best solutions automatically create audit trails as they go.
Take-Home Lesson
While most GDPR webinars do a good job of walking you through key GDPR changes and the need for PII policy change, few are talking about the important tactical next steps that will help your company successfully execute on all the critical components of this new regulation. Jump on Duncan’s Not Just Another GDPR Webinar session for boots-on-the-ground insights to help you put the tactical must-haves of GDPR into motion.