The Real GDPR Challenge is Sustainable Compliance

Tony Bethell

VP Strategic Alliances at ClusterSeven

Tony Bethell is VP of Strategic Alliances with global responsibility for developing and driving the partner channel. He is focused on identifying new partnerships, enabling existing partners to build successful propositions and creating new routes to market for ClusterSeven. Tony has successfully grown businesses across a wide range of Enterprise Software solutions (ERP, Telco, Finance and BI/Big Data) and Cloud/SaaS, holding senior positions in the Software marketplace, working for Trintech, MicroStrategy, Saville (now ADC) and SSA (now Infor).

Views 739

The Real GDPR Challenge is Sustainable Compliance

09.07.2018 01:15 pm

As organisations raced towards the compliance deadline for the GDPR, their focus appeared to be simply to identify the inventory of IT supported assets that hold GDPR sensitive data. While a reasonable first step, this approach is merely scratching the surface of this far-reaching regulation. The real challenge for GDPR practitioners is to create a ‘sustainable’ compliance process for the foreseeable future.

Much effort in addressing GDPR has gone into identifying and managing the relevant data in core IT applications.  The next challenge for organisations is to apply the same level of control, monitoring and attestation over unstructured data – typically spreadsheets, and other applications managed by the business rather than IT.

However this data is stored – in Excel spreadsheets, or Access databases for example, the key challenge is that these files are distributed right across the business, and it is by no means easy to find the GDPR-relevant data. The situation is further complicated by the way that business constantly add new files to their existing estate.

Ironically staff typically turn to spreadsheets to manage these spreadsheets, using them as an inventory tool to manage these unstructured GDPR files. These manual processes are time consuming, cumbersome and prone to error. Crucially they lack the auditability that GDPR requires, showing the changes to the data, such as the removal of personal data, which lies at the core of the regulations.

Under the GDPR, organisations must demonstrate to their auditor that they have permission to hold the personal data in all their files and systems, as well as ensure easy portability and erasure of records on demand. It is an enormous task and anecdotal evidence suggests that the majority of organisations haven’t even turned their attention to the problem that these unstructured files present for compliance with the GDPR.

A four-step process for sustainable GDPR compliance

Organisations can mitigate the non-compliance risk of spreadsheets by adopting a technology-supported four step process that enables them to make compliance with the GDPR more ‘business-as-usual’ when it comes to the spreadsheet environment.

Finding the files

Identifying the files that contain the sensitive personal data is obvious, but given the often significant business-owned application environment, finding a GDPR-relevant file can be akin to finding a needle in a haystack. Today there are a number of tools available on the market that organisations can take advantage of to scan the files in the business environment.

Powerful search tools are essential here, so that huge volumes of files can be analysed for GDPR-relevant terms, such as name, address, email address, employee reference and similar. Some of these files are easier to search than others for this. Spreadsheets can be especially challenging to search, with the key GDPR information being held at cell level, which can be difficult to scan.

Analysing the files for risk

The next step is to produce reports based on the organisation’s GDPR profile and assess them to show ‘hot spots’ – i.e. files in the spreadsheet landscape that potentially contain GDPR-relevant data. Additionally, the tools categorise the files on the basis of high, medium and low risk, which is very useful from a prioritisation perspective. For instance, files that include personal data such as ethnic information, passport numbers, credit card details, trade union membership and so on, would be categorised as high risk files and would need compliance processes to be applied to them urgently.

Much of the effort involved with complying with the GDPR thus far has focussed on these two stages. The key to sustainable GDPR compliance focuses on the next two stages.

Creating an inventory framework

The next step is to pull the GDPR files into a management framework that allows a business to proactively monitor them. This can encompass both IT and non-IT managed GDPR files. Placing the key GDPR files in an inventory framework allows businesses to proactively monitor their most sensitive, highest risk files. It provides a framework for providing attestation for GDPR files. To make compliance with the GDPR business-as-usual, an automated attestation process, underpinned by full auditability, is fundamental. It will ensure that the organisation is capturing data in accordance with the corporate’s GDPR policy. This attestation capability provides a robust, flexible and powerful model that helps staff and line managers manage their GDPR compliance, by confirming the GDPR status of files, and confirming they comply with the regulation. It also provides an efficient framework for managing and resolving non-compliant files.  For example, if an individual needs to have records removed from a file, or set of files, the attestation framework allows staff to confirm that the individual has been removed, bringing accuracy and consistency to an often manual, error-prone process. 

A stark reminder of the need to effectively manage and monitor spreadsheets, under the GDPR and existing data protection frameworks, was a recent incident where London’s Royal Borough of Kensington & Chelsea was fined £120,000 by the Information Commissioner’s Office (ICO) after it unlawfully identified 943 people who owned vacant properties in the borough. The error was a result of a poor understanding on the part of users as to how to properly identify, manage and remove personal data.

Monitoring for changes

GDPR compliance isn’t about being complaint on 25th May 2018, it’s about meeting the regulator’s requirements in the days, weeks and years to come. Organisations must ensure that they are able to monitor the GDPR-relevant data for version control, changes and approvals, new data, as well as the attestation process.  

A recent poll during a recent ClusterSeven webinar showed that 91 per cent of organisations are merely building GDPR relevant file lists, with only nine per cent are actually creating sustainable processes for compliance. These findings are likely reflective of organisations in the wider industry too. Organisations must change their approach to GDPR compliance. A fine of up to four per cent of the global turnover, plus the reputational damage that will possibly come with it, warrants a sustainable approach to compliance with the GDPR.

GDPR compliance will evolve as organisations evolves. Systems and processes are needed to capture both structured and unstructured data – as well as to accommodate changes to these datasets – such as new data being added, or when people request their data to be removed or moved to a new organisation. All this needs to be done efficiently, cost effectively and sustainably. 

 

Latest blogs

Andrius Sutas AimBrain

Biometric security, banking, and why the password is passé

For banks, technological innovation brings freedom, flexibility, and seemingly inevitable security problems. The rise of mobile brought with it easy segmentation, remote onboarding, and convenience for customers. However, a recent report found that Read more »

Jonny Speers Torstone

Agile technologies key to future-proofing the back office

Global capital markets are advancing at a staggering pace. While increasing regulation has been the major driving force of change in the past decade, rapid technological advances have also contributed to the rewiring of the marketplace. As capital Read more »

Jo Howes CREALOGIX UK

Mass Market Wealth Management: The Case for Robo-Advisory services

‘Old fashioned,’ ‘elitist,’ ‘obscure.’ These are some of the impressions that young consumers have of the wealth management industry today. Long in need of a digital face-lift, wealth management is coming under increasing pressure to adapt to Read more »

Rebecca Edwards Redgate Software

Data protection – how compliant are you, really?

The way we do business has evolved. Looking back just 30 years, we can agree by comparison to today's standards that the way we stored business-critical information was archaic. In modern business, we rely on technology for much of our organization’ Read more »

Rachna Ahlawat Ondot Systems

How The Major Breaches In 2018 Showed Us That It’s Time For Consumers To Take Greater Control Of Their Cards

A few months ago British Airways became one of the latest big-name brands to suffer a major data breach, as hackers managed to steal card details – something that has this week been reported could have raised up to $12.2m (£9.4m) for Russian hackers Read more »

Related Blogs

Adam Prince Sage

10 Everyday Workplace Activities That Will Totally Change Under the GDPR

On 25th May 2018, the GDPR (General Data Protection Regulation) comes into effect across the EU, regulating how businesses should handle personal data. Businesses large and small need to get ready for this change. However, research from industry Read more »

Greg Sim Glasswall Solutions

Proxy cyberwarfare, GDPR and blockchain – the prospects for security in 2018

The last year has been a significant 12 months in the short history of cyber security, with headline security breaches such as Uber and a scramble to come up with new approaches, particularly as the European Union’s General Data Protection Read more »

Christian Voigt Fidessa

For Infosec the Only Way is Global

With information security rapidly gaining prominence over the last few years legislators have jumped into action to improve safeguards and public confidence in IT systems. While information security concerns prevail across all industries, in Read more »

Richard Price TIBCO Software

Data reform to drive digital transformation

The General Data Protection Regulation (GDPR) narrative may often be framed around security breaches, but this headline-grabbing angle perhaps overlooks the new legislation’s broader role as a catalyst to support the digital transformation agenda at Read more »

Tomi Behm Tieto

Data portability – A Utopian GDPR Requirement?

One significant but less discussed aspect of the GDPR is data portability. It is a very complicated matter that CIOs, CISOs, IT managers, data architects, and other personal data controllers must research thoroughly. Data portability is introduced Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App