GDPR impact complex, expert warns
Despite the complexity of the forthcoming General Data Protection Regulation, boards most need to understand is that it is not just about law, IT and security, according to Herwig Thyssens, ICT director and head of T-Trust at T-Systems Belgium. Computer Weekly looks at how to deal with data under the regulation, how compliance will affect businesses, and what organisations should do to prepare. “They need to understand that GDPR is not just a project that needs to be implemented, but something that needs to be maintained for the life of the business,” he told EEMA’s ISSE 2017 conference in Brussels. Although it is not necessary to go into great detail about the GDPR, Thyssens said the board needs to understand why it needs to be done and why the investment needs to be made. At the same time, he said it is important that boards do not lose sight of all that needs to be done and do not develop “Tunnel vision” where they believe that preparations for GDPR are on track just because the legal and security aspects are being addressed. “There are often gaps in GDPR implementations, where organisations tend to focus on the legal aspects, contracts, security and data protection officers, but tend to forget other key elements,” said Thyssens. Organisations are more likely to forget things such as data inventory, data privacy impact assessments and staff awareness, even though proof of all these things will be required in the event of a GDPR audit. “Like any good investment, GDPR offers a return – you get money out because it helps build customer trust”. “A data inventory can be difficult to create, and many organisations are not completely sure where specific kinds of data are stored and who owns the data, which some organisations find very difficult to answer, but it is key to GDPR compliance.” “If you do not know what you have, where it is and who owns it, you will not be able to provide the necessary assurances around the data and you will not be able to use the added value of the GDPR to get more business,” said Thyssens. Organisations most commonly fail to address issues around how the organisation will be affected, international data flows, data retention, backups and privacy by design. “Data retention is likened to inventory, but even if an organisation knows where the data is, some find it too difficult to decide how long to keep it, which is a basic question GDPR auditors will ask,” said Thyssens. In terms of privacy by design requirements, he said organisations with a high level of maturity should task business process owners to look at their processes to assess the impact of the GDPR and what needs to change. “In organisations with low maturity, my advice is to make sure the board is involved so it can drive this forward, because it will not happen automatically, and that there is a dedicated team assigned to the project to co-ordinate and drive it across business functions,” he said. With just over six months to go before the GDPR compliance deadline, Thyssens said organisations should consider if they have done all these things, identify their gaps and address them immediately, because time is running out.
GDPR: An explanation of data retention and why it is important for charities » Charity Digital News
After outlining what GDPR means for charities in the first of a series of posts, Andrew Cross, Data and Insights Lead at Lightful, delves specifically into data retention and subject access requests, how rules around these will alter under GDPR, and how best to prepare for it. Data Retention is defined by the ICO as: “Data kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals”. In plain English, data retention means that if data is no longer in use or required to be kept for a specific purpose then you should either delete it altogether, or anonymise all parts of the information that would give away the identity of the individual. By dealing with data in this way you are adhering to the organisational and technical safeguards stipulated by the GDPR. What does this mean for my charity? Non-profits are usually in possession of personal data that they gained when they were founded and most of this pertains to historical donations or engagements with the organisation. If the supporter has not interacted with the charity within a reasonable time frame, then we can assume their information is probably not needed for analysis purposes and it should therefore be discarded or altered as explained above. Most organisations lack clear retention polices and their CRM systems often do not have the functionality to perform these deletions or anonymisations adequately through the front end or administrative areas. Well, you could start in the first instance by mapping any data flows from sources, using paid-for tools like Microsoft Visio or Lucidchart. It’s good to know where your data came from in order to review the Fair Processing Notices to determine what you can or cannot do with the personal data from these sources. Once you know where your data came from, you can start querying your database on what interactions those individuals have had with your charity. Subject access requests are where the individual uses their right to obtain all the personal data that your organisation holds on them. If your charity is targeted with one of these requests, the current time frame to conform is 40 calendar days. This will reduce to 30 under the GDPR. As most organisations have data stored across multiple systems in multiple locations, compiling a full audit log of how data has been processed – in addition to representing this clearly – will take a fair proportion of time. Not to mention ensuring that the data of other individuals is not exposed and is redacted properly. Stay tuned for the next post in the GDPR series, where I’ll take you through everything you need to know about data governance and the role of Data Protection Officers.