Those with a job title that includes the words: privacy manager, analyst, compliance manager, engineer, or anything in data governance or data security are likely to face the General Data Protection Regulation’s (GDPRs) records of processing activities (RoPA) guidelines, or a data management project similar in nature.
Article 30 of the GDPR, which includes RoPA, outlines that all data controllers and processors must maintain a record of processing activities under their responsibility. While RoPA has been defined as a specific GDPR requirement, it’s becoming more and more necessary to keep track of business processes to abide by other data privacy laws as well. After all, how can security teams provide requested user data if they are unsure of where or why they have the requested data?
Data discovery serves as the best approach to this challenge. But first, let’s review what RoPA entails. Data included in the RoPA must contain the following information:
- Name of the business process: This could include interviewing candidates, onboarding an employee, or an online customer registration.
- Purpose of processing: The business may need to lawfully process data for employment laws, background investigations, online profile creations or other valid reasons.
- Categories of data subjects and personal data: An example of a “category of data subject” could include employees, online customers, in-store customers or vendors. “Category of personal data” might include financial information, shipping information, contact information or employee information.
- Transfers across boarders or to other international companies: Include any country or organization outside of the country in which the business is located.
- Retention time periods: This information needs to include retention schedules for each of the different types of personal data the company stores, based on either internal policies or industry guidelines.
- Description of security controls in place for the business process: This general description should include all the ways the business safeguards data, including encryption, access controls, and even training.
How data discovery helps comply with RoPA
When it comes to data, most businesses generally are not technical and are only aware of the various front-end apps and systems with which they interact. Often, they do not have any knowledge of the back-end systems or the data within them. They may think certain data elements are stored in systems or repositories and may believe that data is protected, but do not know for certain. And while the label “processing” may lead businesses to believe that it’s limited to active events, RoPA must also cover any data that sits on a server or a shelf. This means that businesses need that data to be discoverable to verify RoPA.
Utilizing data discovery will inform the team what data elements are in which systems; thus, the team can verify whether it’s a valid RoPA. Furthermore, data discovery can help highlight areas of confusion or uncertainty within the business so that IT security can better protect the environment. Often these types of investigations will also lead to a company kicking off a data minimization project – another area where data discovery can help. Because of the broad platform support, data discovery can tell the team where the same data gets stored. If the business can’t map a purpose of use for that data set, it should trigger an internal conversation to discuss whether they really need the data or if they can remove it good.
In addition to data verification for records of processing, data discovery can also assist with any privacy impact assessment (PIA) or data protection impact assessment (DPIA) by allowing the team to fully understand all the types of data elements that are involved or impacted by any organizational or systematic change. PIAs, not unlike risk assessments, take a lot of issues into account, such as the data present, who has access, the intent of the data, and how long the data will persist. Data discovery helps the team better and more accurately understand what they have where and why they have it, which in turns helps to better manage the organization’s various risk profiles.
As illustrated, companies can deeply benefit from using data discovery for RoPA and should consider this route if they are not already using these types of capabilities. Security team don’t know what they don’t know, so using data discovery will let them ensure compliance with RoPA, and also help better protect the organization from potential security risks. As a whole, keeping an eye on where the company’s data resides across the full spectrum of the organization creates limitless value and endless possibilities for the business.
Chris Pin, vice president of security and privacy, PKWARE