By Jason Wang, Co-Founder and CEO, TrueVault
GDPR presents a number of challenges for business owners, but one of the greatest hurdles is the requirement that the business take full account of all the data stored by the company. Most of the time, this duty falls on the shoulders of the data protection officer (DPO).
In short, the DPO is responsible for making sure that the data processing activities at their company are compliant with GDPR. But the responsibilities of a DPO are not just about securing personal data, but also involve knowing where personal data resides across the company’s databases, at all times.
This is no small feat: from the time an individual data record enters the company’s internal database, or a third-party system like Stripe or Gmail, it is in motion. Tracking the movements of individual data records and monitoring how data is processed at scale is a complicated but essential responsibility for fulfilling some of the core components of GDPR.
DPOs need a bird’s eye view of data processing
Fulfilling data subject requests (DSRs), which may involve providing access to personal data, transferring data, amending data, or deleting data upon request, is a key feature of GDPR. But since GDPR passed in May 2018, many DPOs are scrambling to fulfill DSRs within the 30-day deadline, and more often than not, they miss the mark. In a survey conducted six months on from GDPR, 70% of surveyed businesses reported failing to process DSRs within the one-month deadline.
Processing personal data is complicated and many companies will encounter more questions than answers. For example, what types of data constitute “personal information”? Should we process data that we don’t need now, but may need in the future? It’s easy enough to imagine personal data (e.g., customer’s phone number) being distributed throughout the organization and saved in multiple systems depending upon which departments may find this data useful (e.g., the phone number may be saved in databases used by marketing and sales teams). But, the challenge does not lie in dispersing and processing the data so much as in finding and consolidating the data when a DPO needs it.
In order to consolidate personal data effectively, DPOs will need to rely upon more than spreadsheets and the goodwill of the company’s IT team, who are often left to conduct individual searches of every database to fulfill DSRs. The current state of affairs relies heavily on human resources and is far too analog to work for the long-term.
DPOs must have real-time insight into the data processing activities happening throughout the entire company in order to properly execute individual requests, such as DSRs. In lieu of a tool that automates personal data discovery and inventory, the ideal DPO will be a data processing encyclopedia for the company that they represent. The DPO must have knowledge of:
- The different internal databases where personal data is held (e.g., employee information on the company server).
- The types of information stored in both internal and third-party systems (e.g., employee emergency contacts and email distribution lists on the server, employee email content on Gmail, payment processing happens on Stripe).
- The different third-party systems where personal data is processed (e.g., Slack is used for collaboration between employees, including messaging, file sharing, integrations with third-party applications etc.; email is run through Gmail).
- How many data records, of each type, are stored in each system. Remembering that the number of data records are always subject to change (e.g., are data minimization efforts underway?)
- The data subject that each personal data record attached to.
A data processing audit is a challenging, but not impossible task for the incoming DPO. By conducting a data processing audit for their company, the DPO will identify security gaps, unnecessary or extraneous personal data stores, as well as have a map of where personal data lives throughout the company’s databases. Eventually, the DPO must be able to recall how data silos, such as Gmail, operate independently and also overlap with other data silos (e.g., Gmail interacts with Stripe) throughout the organization.
But the truth is: This is still an analog solution for a digital world.
The optimal situation for a DPO is to have a bird’s eye view of the data processing activities happening at their company, in real time, so they can quickly discover any anomalies and jump on opportunities to minimize personal data. Arguably the most essential tool for businesses looking to become GDPR compliant is a data inventory platform, which allows DPOs to see data processing at a macro-level, while also monitoring the progress of data subject requests and other micro-level data processing activities.
It is time for technology to catch up to the needs of businesses. But until DPOs demand an automated data processing solution, they will be forced to operate in an analog environment and risk violating GDPR compliance.