NC1801
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
OPINION<br />
THE GDPR INFORMATION AUDIT<br />
A GOOD UNDERSTANDING OF STORED DATA HAS ALWAYS BEEN A<br />
SENSIBLE IDEA. AS COMPANIES MOVE FROM OWNERS OF DATA TO<br />
CUSTODIANS, ROLAND BULLIVANT, DIRECTOR AT SILWOOD<br />
TECHNOLOGY REMINDS US OF THE CRITICAL IMPORTANCE OF<br />
THE DATA AUDIT<br />
According to research undertaken<br />
jointly by Experian and Ponemon<br />
Institute - Data Protection Risks &<br />
Regulations in the Global Economy - 59 per<br />
cent of surveyed companies did not<br />
understand the requirements for complying<br />
with the EU General Data Protection<br />
Regulations (GDPR). Because these<br />
regulations become effective in May 2018,<br />
the imperative for tested compliance<br />
procedures and processes is pressing.<br />
One important element requires<br />
organisations to document the location of<br />
what is defined in the GDPR as Personal<br />
Data, across their entire IT estate. It is also<br />
likely that organisations will need to make<br />
amendments to existing IT systems to meet<br />
the new obligations, especially concerning<br />
how they process data, protect the rights of<br />
data subjects and ensure appropriate<br />
privacy, making certain that consent<br />
measures are implemented.<br />
It is here that the information audit<br />
becomes pivotal for documenting personal<br />
data and the interdependencies. It is<br />
essential for implementing the policies and<br />
procedures required for compliance.<br />
One might think that successive waves of<br />
hype driven IT such as Enterprise Resource<br />
Planning (ERP), Customer Relationship<br />
Management (CRM), Master Data, Data<br />
Quality, Business Intelligence and Big Data<br />
means that organisations are already firmly<br />
in control of their data. The reality however is<br />
that for the majority of organisations this just<br />
isn't the case.<br />
Some systems, particularly packaged<br />
applications which store most of the<br />
structured personal data held by an<br />
organisation, actually contribute to the<br />
difficulties associated with an organisations<br />
ability to comply with the GDPR. This is due<br />
to the complexity and inaccessibility of their<br />
metadata. The result is that without specialist<br />
software tools, isolating where personal data<br />
exists about customers, business partners,<br />
vendors, employees and members of the<br />
public, is a long and tortuous task.<br />
Personal data is also found across other<br />
systems including online stores, mobile<br />
apps, homegrown applications, data<br />
warehouses and spreadsheets. It can also<br />
be found in unstructured data formats<br />
including email, documents, files,<br />
photographs and others.<br />
A Data Catalogue or Dictionary is<br />
extremely valuable for keeping the source of<br />
this information together and up to date.<br />
Locating personal data is a vital step<br />
towards meeting the requirements<br />
concerning the rights of Data Subjects and<br />
Consent and Privacy rules. For example, it is<br />
not possible to give a comprehensive<br />
answer to a Subject Access Request from a<br />
customer unless all locations of personal<br />
data are clearly understood.<br />
For organisations still struggling to get<br />
started, here are a few tips. Firstly, make sure<br />
that you understand the relevant legislation<br />
or identify trusted sources of information<br />
about the GDPR to understand how it<br />
applies to your organisation. You will need to<br />
appoint an executive sponsor for your GDPR<br />
program and a compliance team from<br />
relevant departments, and don't forget to<br />
secure a budget.<br />
You will need to consider whether Data<br />
Controllers and Data Protection Officers are<br />
needed and appoint them. It is also<br />
important to implement and document the<br />
changes to your Data Privacy and Consent<br />
policies, ensuring that processes are in place<br />
to cover the Rights of Data Subjects.<br />
Another important area is to make sure<br />
that procedures are in place to detect data<br />
breaches, with clear instructions on how to<br />
notify the relevant authorities as well as<br />
Data Subjects.<br />
In summary, the GDPR means that<br />
organisations will become custodians of the<br />
personal data that they hold and process,<br />
rather than the owners of that data. From<br />
May 2018 they have greater responsibilities<br />
concerning the way it is collected and used.<br />
The negative impact of not complying can<br />
be significant both financially and in terms of<br />
damage to brand reputation. However there<br />
are benefits, including improved customer<br />
loyalty and revenues for those who master<br />
the management of personal data effectively<br />
and conscientiously. NC<br />
32 NETWORKcomputing JANUARY/FEBRUARY 2018 @NCMagAndAwards<br />
WWW.NETWORKCOMPUTING.CO.UK