David and Goliath of GDPR – Part 2

This is the second in our series of articles on GDPR. Check our previous article here on GDPR Data Inventory, Data Processing and Right To Be Forgotten..

“Our Information Security is designed to prevent customer data downloads, now they want me to automate downloading it!” the IT architect said with bewilderment.

50 years ago, doctors and dentists were recommending smoking. Of course, we now know that it was bad advice, and society has had an about-face.

 

In this post, let us take a look at some GDPR principles that may be perceived as an ‘about face’ to the tenets of the traditional Information Security and Policies.

 

Again, roll with us here. The way we have structured these articles, “David” stands for the little but very powerful things that can go a long way. “Goliath” is for the seemingly more difficult, messier, and larger issues. And… surprise surprise… David and Goliath play on the same team.

 

Together, they vanquish that big bad enemy of non-compliance with GDPR! Oh, and if it wasn’t already evident, we truly believe that the enemy is non-compliance with GDPR. We believe that GDPR itself is a great friend for the responsible corporations of this world.

 

Data Minimization
As it says on the tin, just use only as much data as needed to accomplish a specific task. Also, no double dipping – data collected for a given purpose cannot be re-used for another purpose without additional consent.

The idea is to have reasonability of purpose and not treat personal data as a ‘free for all’ commodity.

David: Business process changes around gathering additional personal data attributes such as lead lists. For example, if you have marketing emails going to leads, consider removing all other elements that have no clearly defined purpose.

 

Also, do away with any unnecessary data enrichment. These changes may sound harder than they actually are.
Here is a thought-provoking article that applies to enterprises and start-ups alike.

  • Goliath: Technology solutions are designed to maximize data retention and actively prevent data deletion, so minimization and data deletion is counter-intuitive to its inherent architecture.

    Modifying business rules to remove required fields, particularly for unstructured data managed by code (Mainframe flat files), and changes to data aggregation/integration are hard problems to solve. These may take longer than planned.

Storage Limitation and Data Retention

Continuing with the theme of reasonability of purpose, retention is another important principle. Store personal data only for a legitimate duration and destroy it once its purpose is attained.

 

Keeping data because you can and wearing Bell Bottoms are both out of fashion and dangerous. Trust me, those flares can get stuck in escalators leaving you exposed!

Personal data without purpose and consent is a corporate liability, an accident waiting to happen, a ticking time bomb, if you will.

David: Automation of data expiration, deletion, or de-identification/obfuscation is one of the simplest steps for most modern systems.

Run a batch job, a scheduler, or whatever your systems support and just get it done. For example, automate the removal of ex-customers data once the contractual and legal obligations are done.

  • Goliath: It is the four-letter ‘D-word ‘Data’ as in D-Warehouses, D-Marts, D-Lakes and D-Back ups, D-Archives, as well as other miscellaneous information such as emails, social media messages, Photos, Videos, IP Addresses, Device, and sensor data. These can be harder problems to solve. Start by bringing transparency on this upfront with the data subjects if there is a larger timeline around it.

For Salesforce, you can use Compliance Cloud to de-identify records directly, or via automation such as Process Builder/Scheduled Jobs (coming soon in our next release).

Data Portability

Clearly as the name says,…Gimme my data! And in a format that is usable with other providers. Few other GDPR principles are as controversial for businesses as this because, at a glance, it makes customer churn easier. However, data portability is a big win for consumers and a boon for customer-centric companies.

Fixing the root cause that prompts customers to ask for their data can make portability an on-ramp, instead of an easier churn.

  • David: Standard business apps that can run reports and extract data as .csv or pdf files can make some parts of customer data portability easy. Combining that with specific guidance on sensitive data such as here is a great way to give customers another reason to consider staying. Portability standards such as Google’s and UK’s Midata are worth looking at and implementing for data portability.
Data Storage Unit Icon
  • Goliath: Perhaps the biggest challenge for Portability is to be able to bring it all together, especially if you are not a social networking giant. Customer data is littered across the enterprise systems, and often runs into challenges when you consider unstructured data (again). Consider implementing third-party systems that facilitate portability, but plan for grey areas, especially when the information was shared with more than one data subject.

Some of GDPR’s well-intentioned principles run counter to the way systems have been designed. Plan to expect technical and business challenges in meeting these requirements.

However, your organization can drive GDPR implementation to its advantage and offer a superior customer experience by embracing a transparent communication strategy.

 

PlumCloud Labs (Now Cloud Compliance) is engaged in the GDPR space. Contact us(info@cloudcompliance.app) if you have any questions or are interested in discussing this some more.

 

Also, GDPR is an incredibly large topic, and we have barely scratched the surface here. More to follow in the next set of articles in this series.

 

Meanwhile, please share your thoughts on what we’ve covered here and other GDPR-related topics you would like to hear more about.

Picture of Saurabh Gupta

Saurabh Gupta

Saurabh is an Enterprise Architect and seasoned entrepreneur spearheading a Salesforce security and AI startup with inventive contributions recognized by a patent.

Related Articles

Data Security Concept Art,
Salesforce Data Privacy

CPRA And Your Salesforce Org – Part 1

65% of the world’s population will be protected by privacy laws by the year 2023 (Source: Gartner).California Privacy Rights Act (CPRA) will only protect Californians. So,

Read More »
Salesforce, GDPR Data Inventory, Right To Be Forgotten, Data Minimization, David vs Goliath
Salesforce Data Privacy

David and Goliath of GDPR

“I don’t even know where to start…We have 5 Million customer records.” said the exasperated to-be DPO. As an American company that primarily does business

Read More »
Salesforce, Salesforce Data, salesforce security, Salesforce Data Reduction, Salesforce Data Management, Salesforce data retention
Salesforce Data Privacy

Salesforce and Cloud Compliance

Salesforce and Cloud Compliance, a four-minute read about what Salesforce does and how Cloud Compliance works with it. Let’s start by knowing about our needs

Read More »

Related Articles