Regulation often drives evolution in organisations, but never before has regulation been so close to shaping every organisation’s approach to data. The General Data Protection Regulation, EU’s answer to the increasingly fast evolution of data collection and treatment in our modern world, intends to rule the collection and usage of personal data through a global approach. All public and private organisations must prepare for the scheduled start date of 25 May 2018.
A data protection regulation? What exactly does it protect?
The GDPR intends to protect privacy by applying rules to the collection, safekeeping, treatment and usage of personal data, and in doing so substantially altering the terms of previous European or national regulations on the topic. Personal data is defined as information permitting direct or indirect identification of individual persons. This encompasses the obvious names and identification numbers, but also covers location data and specific characteristics of persons such as physical traits, health information or socio-economic data. Anything that links to a person is considered personal data, whatever the context and whatever the reason the information was collected in the first place.
This means that information on the private or professional context of a person is still personal data, and as a consequence not only is client or prospective client data concerned, but also data on human resources, providers and partners, be it on a commercial or non-profit basis.
Treatment of personal data
As is now commonplace, the regulation encourages organisations to enforce privacy management through a risk-based approach, meaning that the level of control and protection must be commensurate with the sensitivity of data.
The key objective of the data controller is to ensure that data subject rights are protected on an on-going basis, as well as through specific actions and participation in environment-altering projects for assessment and safeguard setup purposes. Even though GDPR aims at protecting privacy, the regulation remains mindful of the importance of data analysis in today’s connected world, allowing some leeway through pseudonymisation, encryption, management of client consent and privacy-by-design concepts. The data controller will be responsible for safekeeping personal data as well as demonstrating compliance upon request from a data subject or regulator.
Where relevant, i.e. in public institutions or certain organisations handling sensitive personal data, a data protection officer must be appointed. The data protection officer has an overarching responsibility for privacy protection, and should be considered for all ends and purposes as the GDPR compliance officer. The data protection officer role encompasses the on-going training of and advice to concerned functions across the organisation, as well as a front-line role towards the relevant regulatory bodies.
Roadmap to compliance
Achieving regulatory compliance usually starts with a gap analysis. This will help identify the key items to address and pave the way for remediation implementation. In the case of GDPR, the data-centric approach to privacy protection means that any future data source or repository underlying existing or new infrastructure will in turn be subject to the same regulatory requirements.
Building a future-proof infrastructure today seems like a vain promise, and it probably is, due to the increasing pace of regulation review, the speed of technological evolution and the relative complexity for organisations to marshal their forces into projects. dFakto offers an easily updated, easily connected solution to the existing infrastructure with the sole purpose of cataloguing and analysing all data in the light of the regulation, shifting the challenges from the entire organisation to just maintaining a single, dedicated application.
Maintenance of compliance standards in an environment where both the infrastructure and compliance rules may rapidly evolve constitutes probably the greatest challenge of GDPR for any private or public organisation.
Maintaining compliance in a traditional project steering environment implies privacy-centric functions in each and every project, substantially altering the momentum of project roll-out through additional governance, compliance gap analyses and potential re-engineering. Even though these constraints are common to project management across most sectors, they do not constitute a sound base to grow a future-proof privacy-minded business and technological environment.
Experience tells us all that both the infrastructure and regulation will evolve over time, probably even faster than we would expect. With that in mind, it seems reasonable to assume that the most relevant action today is to implement a platform, the role of which is limited to connecting all data sources across the organisation to detect personal data, store an audit trail and issue actionable reporting to data controllers.
Today’s technology and process expertise can help us move beyond the limitations of the past, as today, we can build a living catalogue of data able to:
– connect easily to all existing and future data sources,
– apply rules categorising data depending on their compliance risk level,
– store encrypted or pseudonymised data,
– report to the data controllers their list of required actions based on compliance rules,
– and structure the follow-up to ensure that actions are executed in due time.
In this way, we can move from a state of on-going monitoring, regular reporting and one-off analyses to a dedicated continuous process, limiting the operational and project impacts on the whole organisation while enforcing a privacy-centric approach to data management.
Conclusion: the case for platform-based personal data management
Connecting any tool to a new source will always represent some IT work to integrate data. But that work is limited in scope and cost, and above all does not hinder the progress of new implementation projects and the maintenance of the existing infrastructure.
Likewise, updating the detection and the compliance rules defining actions to be taken always represents analysis work, sometimes even requiring dedicated regulation specialists. But that work is also limited in scope and time, and can be performed in a yearly review process meaning that it does not need to be started for each new project in the organisation.
Shifting the burden of compliance implementation and maintenance from a large project team to a small taskforce of dedicated individuals not only makes sense from an organisational point of view, but also from a customer-centric point of view, the cost of regulatory compliance usually ending up being borne by the client.
All these elements build the case for a platform-based answer to the issue of regulatory requirements on data management – a solution rooted in data management to answer the challenges of privacy protection.
You want to learn more about GDPR?
dFakto is organizing a workshop with the goal to review and discuss the main issues that need to be tackled when it comes to GDPR. For more info please contact JOANA SCHMITZ firstname.lastname@example.org or +32(0)2.290.63.90.
More about the author: LinkedIn – Dorian de Klerk