Happy birthday GDPR! Are DPOs celebrating?
Soon the GDPR will be three years old. There is no doubt that it has had a profound effect on attitudes toward the protection of our data, but I dare to suggest that organisations still have a long way to go before they can declare that they have achieved their goal to have data protection by design and default.
Leading management consultants McKinsey & Co, back in 2018 recognised the challenges that the current and future data landscape would have on an organisation’s capacity to comply with the GDPR. They pointed to, data growth and in particular the rise of unstructured (or ‘dark’) data as being the most challenging aspects.
“Companies will need to increase automation and streamline their organisation if they are not to be overwhelmed by the challenge of sustaining GDPR compliance over the long term.”
The point was well made. I suggest that three years on, with data having roughly doubled in size and organisations shifting their data to the cloud to curb the ever increasing costs of storage, they are no closer to their GDPR goal. At best all they’ve really done is move the playing field to the cloud or at worst added another data domain for the overstretched data protection officer (DPO) to manage.
From our research there are several aspects of the GDPR where DPOs appear to struggle most.
- Information search for Data Subject Access Requests (DSARs)
- Data retention management
- Personal and sensitive data discovery
The root cause of these challenges can be traced back to the McKinsey forecast from three years earlier, namely, unabated data growth and unstructured data.
Information search for DSARs
DPOs often are unable to fulfil this requirement themselves. Instead, they routinely delegate to those that can access the data required, often putting undue stress and strain on IT and other colleagues to meet tight deadlines. They lose control of the process and worry that not all of the required information is being found. Delays are inevitable and many are required to seek extensions to enable them to fulfil the DSAR. They spend an undue amount of time chasing colleagues to return the information as they know that once they receive it, there is still a significant amount of work to check, de-duplicate, redact, package and return the information to the data subject.
DPOs crave the day when they can undertake DSAR searches themselves. They want to reduce the burden on colleagues and mitigate the risk of not finding the right information.
Data retention management
A shiny data retention policy was high on the list of deliverables for DPOs back in 2018. Three years on, for many this remains a policy that has not been effectively executed. One of the primary reasons for this is that documents and files are not classified correctly (if at all) and as a result they are added to the growing data estate with no strategy to effectively manage them. As one company director I spoke to recently exclaimed,
“Our data retention policy is to keep data for as long as we possibly can before someone tells us to do something about it!”
But it’s not just about unstructured data, often the company retention policy has not been applied to other data assets like customer, prospect, supplier, finance and asset data.
Data retention management can only be executed if you have insight into the data stored within your data estate’s databases and document repositories e.g. shared drives, cloud stores and email systems. The ability to automate the classification and execution of data retention monitoring rules associated with different types of document and database records is essential.
Personal and sensitive data discovery
An organisation can only protect personal and sensitive data if it knows where it is stored and who has access to it. In part related to the data retention policy, the inability to identify documents that contain personal and sensitive data is a discipline that in our experience the DPO would like to improve.
How infoboss helps…
Infoboss provides the tools to efficiently meet your GDPR and other compliance obligations by automating many of the processes required. It enables you to:
- Automatically collect, index and classify your data using your business policy rules;
- Store in a secure, scalable, searchable enterprise data repository;
- Automatically discover personal and sensitive data;
- Monitor and enforce data retention and other data protection policies;
- Efficiently service data subject access requests (DSARs)
Infoboss undertakes the heavy lifting (and perhaps mundane aspects) of the DPO role saving valuable time, cost and significantly reducing the risk of a data protection breach or non-compliance. To discover more please get in touch.