Fail to prepare; prepare to fail – A GDPR conundrum

By Howard Travers
on May 16, 2018

GDPR_Lineage_small

As we approach the looming General Data Protection Regulation (GDPR) deadline, you may have noticed your inbox becoming flooded with emails with the subject line ‘We’ve updated our privacy policy’. This is the onset impact of GDPR. Although you would have already clicked ‘I agree’ to receiving communications, the updates to the Data Privacy Act (1998) require businesses to update the consent for using the personal data that they have recorded.

Consent isn’t the only thing that needs to be considered when preparing for when GDPR comes into full effect. The new regulation is set to make a huge impact on how organisations process and handle personal data of EU citizens, and now is the time to get things in order.

GDPR isn’t the first major regulatory shake up of the year. Just days into 2018, we, apprehensively for some, welcomed MiFID II. MiFID II came with plenty of warning, yet how prepared were businesses when the regulation came in to effect? In some cases, businesses weren’t prepared even with advanced warning.

This is quite often the way it goes. Many of us tend to put things off until the last possible minute. Perhaps it’s a case of denial, or maybe we just don’t fully understand what we need to do or what is expected of us. Either way, one thing that’s certain when it comes to GDPR is that preparation is key, and as we rightly point out with the title of this article, fail to prepare and prepare to fail – and failing at GDPR can land you a very heavy penalty.

Preparation is key

GDPR is just around the corner, coming in to effect on the 25th May 2018. If you still haven’t set in motion how you’ll tackle this impending regulation, the ICO have a very helpful brochure recommending 12 detailed steps to take  in order to be prepared. In this article, we will focus on the second point – ‘Know the information you hold’.

To be compliant with GDPR, the ICO recommends that you should ‘document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit’. (source)

Lineage for knowledge
When data landscapes become more complex it can be difficult to see how the personal data ends up being used. Up until the introduction of GDPR, businesses were able to simply produce a report stating that they are compliant.  Now, the new rules dictate that proof of how these results were achieved is needed, using data to do so. We are now seeing regulations requiring that documentation of data lineage is used to demonstrate this.

Data lineage isn’t the golden ticket to your GDPR compliance, but it plays a critical role in the overarching strategy to align your organisation with the regulatory requirements.

Data lineage helps you to see the story of a piece of data so that there is full visibility of exactly when and where it came from, what parts of your business it has touched, and by whom, and also identify if there have been any changes to the data along the way and track these back to the original source to see why. Without data lineage, organisations can’t, without extreme difficulty, prove how data flows throughout their systems.

Having this insight increases confidence in your data and can positively impact your business, saving money by identifying redundancies and avoiding possible legislative fines and help influence data related decision making.

The Right to be Forgotten
The new GDPR puts the power back in to the hands of the individual when it comes to personal data. With this, the data subject now has the right to request for their information to be ‘forgotten’ from your system, meaning that businesses have to completely remove said information from any and every database where it appears.

Given the size of some data landscapes, and how often departments can be fragmented within an organisation where teams tend to work in silos, gathering all data knowledge can be a huge task. Data can enter a business through manually inputting, online forms, or submitted by third parties, and more. It can then be stored within a CRM system, a marketing automation system, within excel spreadsheets, and/or on individual computers, and often appears in several locations.

Therein lies the challenge. How can organisations be 100% certain that they have removed data entirely from their systems? One of the main ways to do this is to work collaboratively across all departments, share knowledge, and manage in one central place, and then audit and analyse data. Data lineage can get to the heart of the problem here and this is where a dedicated lineage tool is needed.

How can Solidatus help?

Using Solidatus for GDPR, an organisation has the ability to gain valuable insight into their data landscape. The tool enables an organisation to visualise and analyse lineage to understand what data they hold, what type of data they have, and how it moves through their systems.

Through its collaborative and crowdsourcing model, Solidatus allows for quick and effective enterprise-wide identification of personal information. Working with all teams across the organisation, a clear understanding can be made of exactly where data is and how it’s being used in business and IT processes.

Once identified, the data can be clearly mapped out to visualise each contact point and ownership can then be assigned. Once an organisation has this knowledge they are able to quickly and confidently fulfil a ‘Right to Erasure’ request knowing that they have removed it from every possible place it has been held.

Not only does this insight allow for easy completion of a Right to Erasure request, it also proves to the regulator that an organisation is taking a proactive approach to GDPR by clearly documenting and auditing their data landscape and privacy impact assessment metadata.

MiFID_II_Model

Solidatus partners with Synechron

Together, Solidatus and Synechron, the global financial services consulting and technology services provider, are addressing challenges related to understanding data lineage, governance, and management. We are achieving this through delivering powerful visualisation of metadata across end-to-end business processes, including an intuitive and easy to use web interface and customisable filter options. The initiative is critical in helping firms get the most from their data, as well as to comply with upcoming regulatory obligations.

 

 

 Conclusion

One of the key things to remember with GDPR is that although preparation may be onerous in the short term, in the long run, getting things in order now, setting up proper processes and keeping on top of your data using sophisticated data lineage tools, will set you up for compliance success.

Be proactive against the obligations of regulation compliance and don’t run the risk of failure.

Contact us

Author: Howard Travers

With over 20 years of experience in developing businesses, Howard is an accomplished commercial director with a proven track record with start-ups. He has played a pivotal role in bringing Solidatus to market.
Find me on: