The “right to be forgotten” (RTBF) is best known in connection with the ruling that EU residents can request outdated or irrelevant information about themselves be removed from search engine results.
Soon, the new GDPR directive will put a similar requirement on all companies. If someone requests information about them to be removed from your records – unless there is a competing requirement - the company must find and delete all instances of that person's data.
GDPR data relates to personally identifying data (names, phone numbers, bank details, etc). Putting processes in place to discover, manage and delete it is a big ask for many companies.
Where do I start?
The first thing to do is to read and understand the regulation.
Consider how it relates to other regulations you are subject to; for example you may be required to keep financial transaction data for a certain period of time. Look at your risk management, IT systems and policies to understand how compliant you already are and what needs to change.
Once you have a sense of what data you would need to delete, you should conduct an information discovery audit to understand what personal data you hold and where it can be found.
Most personal data will be about employees, suppliers, or customers/prospects. Some will be in obvious places like CRM databases, some will be more complex to locate, eg in files that come from reports, which people keep on their laptops or file servers. Easy-to-use solutions are available to perform data-at-rest scans to identify files containing GDPR data – whether they are on laptops, file servers or cloud collaboration sites.
Furthermore there is a need to understand how GDPR data is shared – eg contact lists sent to a telesales company. Working with departments holding critical data to map data flows will create that understanding. Even when the information goes outside the organisation, this data is still your responsibility, so you need to know who you've shared it with so you can make a corresponding RTBF request.
The one year countdown: planning for GDPR
Mapping, monitoring and scanning for critical GDPR information will highlight what you need to do to be compliant, what you are already doing, and where there are gaps. Use your findings to start the plan to comply with the GDPR. GDPR is already in place, but from May 2018 will be rigorously enforced with heavy fines.
We suggest focussing on three main areas: people, processes and technology.
People are your biggest strength and biggest weakness. They make mistakes, store information in the wrong pace, and use shortcuts which put data out of control of the IT department. Companies need to understand how their employees share information, and look at education or awareness programmes, or cultural changes, to plug gaps.
Processes are partly about preparing for a RTBF request, and defining the action you will take when you get one, though there are other processes which will need to be updated and introduced in order to become compliant. Becoming compliant is really about good data governance and reducing risk, eg limiting who can access and share certain information, preventing information being taken off the network, contracts with suppliers about how they may use your data.
Technology can help GDPR compliance by automating manual data protection processes, enforcing security policies, and providing visibility of data flowing in and out of your organisation. Adaptive security systems can be set up quickly, automatically and consistently redacting GDPR information out of any communications, based on policy. This helps avoid human error (an email to the wrong person), but also saves you redesigning many processes such as apps that automatically generate customer reports.
Good data governance for all
There is a temptation to think all these new rules are an unfair “tax” on business. But GDPR is designed to help people achieve good data governance, protecting customers and employees. It's all good practice which companies should be doing anyway.
For those that aren't, GDPR is a wakeup call. Yes, there will be fines and reputational damage if compliance isn't met. But more importantly, there are rewards if you get it right, improved trust with customers and partners for starters. We have a year; if you're not already prepared, today is the day to start the journey towards compliance.
Contributed by Dr Guy Bunker, SVP products, Clearswift
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.