“I don’t even know where to start…We have 5 Million customer records.” said the exasperated to-be DPO.
As an American company that primarily does business in the US, one of our clients thought GDPR was not something they needed to worry about. Boy, were they wrong! Privacy regulations such as GDPR have made personal data privacy a serious issue for businesses – and this post discusses how your organization can make meaningful progress.
A few months before the GDPR timeline, the auditor of our client company informed them that if they had data of EU residents, they were under the purview of GDPR. Unfortunately, there was no easy way for finding this out because as a B2B business, they did not store the nationality of their Contacts and Leads in their CRM system. However, it was certainly a possibility, and the CEO was not taking any chances.
We went in and did a risk assessment and mitigation workshop for the client. In this series of articles, we will share some of the lessons learned.
“David” in these are the little but very powerful things that can go a long way. “Goliath” are the seemingly more difficult, messier and larger issues. And give us some leeway here, the way we have structured these articles, David and Goliath play in the same team and vanquish the common enemy of non-compliance with GDPR!
Creating a company-wide Data Inventory of customer info
Gathering and classifying customer information within the enterprise is often the logical first step. This is a great place to start. Make sure your information security, compliance, legal and other teams bless this effort and your company can show reasonable progress fairly quickly.
Here is an article by IAPP that does a great job of offering more information:
- David: If you are a mid-sized business with a limited number of systems (usually under 10) to handle customer data (CRM, ERP, Financials, CMS, Data Warehouse, etc.), you can gather a high-level data inventory relatively easily. It is an absolute must and can be easily accomplished with internal resources or external analysts.
- Goliath: Since time immemorial, humans have known that not washing our hands and unstructured data solutions are bad ideas. Customer data in spreadsheets, Access databases, post-its, Flash drives, online folders, and personal storage solutions now have a much larger consequence. This is the hardest (expensive/time consuming) area to deal with. Self reporting and e-Discovery solutions are good first steps.
Give us a shout at firstname.lastname@example.org if you need help with Data Inventory and Mapping!
Lawful basis for Data Processing
GDPR considers 6 lawful basis for data processing. Understanding which one applies to your data inventory, and, more importantly, where your organization is on shaky ground will make all the difference. This is one area where a good GDPR expertise is unquestionably worth paying top dollars.
- David: Current customers and other contractual parties (partners, employees) are the easy ones. A simple matrix of all the data that gets covered under these basis should be identified as such as part of the data inventory efforts.
Goliath: The slippery slope of “legitimate reason” is perhaps one of the more ambiguous areas of GDPR. A tight alignment early in the GDPR initiatives with the experts can help to prevent costly fines later. In addition, the lawful basis for your processing also affects what rights are available to the data subjects. This handy table from IAPP is a good back-pocket reference to understand this better.
Right to be forgotten / Data erasure
Someone requests that your company “forgets them”. It’s simple, just delete their record across all systems, including back-up, demonstrate proof of deletion (i.e. Remember who we have forgotten which itself sounds oxymoronic) and call it a day. There are point solutions to address this specific issue, but this issue, more than others, requires a careful blending of process and technology.
David: De-identification across specific systems using specialized solutions to obfuscate data (making it completely unusable) is a pragmatic solution. An example of this is our product “Cloud Compliance” for Salesforce – which de-identifies, generates a proof of de-identification and stores it securely. Combine it with training, business process redesign and this can be attained across structured systems.
Goliath: Record deletion in unstructured data – documents, Emails, Social Media posts, and other unstructured data can be a challenge. The key is to make plans and specifically communicate to requestors how their data will be removed. Often, this may take time across all channels, but as long as there is a policy in place that is okayed by your compliance team, it may be defensible.
Summary: There are areas within GDPR where quick progress can be made, and others where it is more tedious. The trick is to know how to spend your time and effort, and where to focus on your GDPR initiatives.
PlumCloud Labs is engaged in the GDPR space. Contact us if you have any questions or are interested in discussing this some more.
Also, GDPR is an incredibly large topic and we have barely scratched the surface here. More to follow in the next set of articles in this series. Meanwhile, please share your thoughts on what we’ve covered here and other GDPR related topics you would like to hear more about.