Though GDPR has been making international headlines for the last three years, authorities and corporations are still in their nascency regarding enforcement and compliance. Late last year, German data protection authorities issued the first multi-million euro GDPR fine, a €14.5 million penalty for a real estate company’s failure to meet data retention requirements.
This came on the heels of the government’s move to introduce a new model for calculating GDPR fines—a complex framework intended to drive increased severity of penalties. With these activities and more on the horizon, Germany is proving to be one of the most active GDPR regulators in Europe, with more than €25 million in fines and nearly 20 enforcement decisions to date.
When regulators began requiring compliance management systems, we saw a flurry of activity around deploying compliance management systems and believing their efforts were sufficient. Then, after companies implemented these systems, a wave of audits were conducted to check on their effectiveness. In many cases, these audits led to organizations being required to adjust and readjust their practices and technological solutions. GDPR will be similar. Corporations had two years to do their homework and implement procedures to ensure their data was managed in accordance with the law. But now, as enforcement ramps up across Europe and in Germany, it’s becoming clear that many “good enough” programs that have been in play to date are not fully meeting regulator expectations.
Gaps between new privacy frameworks and IT infrastructure
Largely, most have done a sound job of assessing risk and establishing over-arching policies and procedures that improve data privacy posture. So, what’s missing? All too often, organizations leave gaps between their new privacy frameworks and their IT infrastructure. To truly ensure and maintain compliance, teams must bridge those gaps and ensure their procedures and processes are fully and seamlessly aligned with IT operations. Data privacy teams need to work collaboratively with IT and business teams to identify systems that process potentially sensitive data, and evaluate every step that the data goes through from both a business and technical perspective. Without a doubt, doing so will reveal that their data privacy programs need to look and operate differently when layered onto the IT landscape.
What does this look like in the real world? Consider an organization that begins its relationship with a customer on a web page. The customer enters personal information on that page to begin some kind of transaction. That data is logged on the web server and sent to a database—meaning two different systems now contain the same personal information. It’s possible that during the movement of data from the web server to the company database, log files were also created, potentially creating a third instance of the data. The data may or may not be encrypted during transmission. Encryption may have occurred at any stage, on the company network or the internet, meaning that some (or all if there was no encryption step) of the records may not be encrypted, and thus less protected. In many systems, processes run daily that take new entries into the company database and move them to a CRM database, and then queries an employee who will be assigned to contact the customer and move the transaction forward. In many cases, the employee will save the data in an Excel sheet on their computer to make their work more efficient or to analyze data that helps them get their job done. This means there are now up to six different instances of the data stored in different locations inside the organization.
Sensitive data can proliferate unchecked – how can this be prevented?
There is no one-size-fits-all solution for dealing with these issues. But there are clear steps organizations can take to begin tackling data privacy compliance at the IT level.
- Providing appropriate solutions for storing personal data and carrying out extensive training to ensure employees who use these enterprise systems to store personal data are not creating separate, individual databases, Excel sheets or reports containing sensitive information.
- Assessing the IT landscape to both map applications containing personal data and understand exactly how the data flows, whether and when/where it is encrypted and the parameters of every system that interacts with sensitive information.
- Establishing protocols to understand golden sources of data and ensuring that if data is transmitted from system A to system B, it is maintained, updated and/or deleted based on changes made in the originating system. If the data is migrated from legacy to new systems, ensuring legacy data is deleted and is not forgotten about in the original database.
- Ensuring you have a clear retention policy and schedule which defines how long you are required to retain data for regulatory, legal or business requirements.
- Investing in remediating legacy data according to your retention schedule. At any point in the future, a regulator may look at your data landscape and impose a fine for improper retention or handling of personal or sensitive data. Disposing of anything that is not essential to regulatory or business requirements. Any data that is retained should be fully safeguarded and encrypted.
To date, GDPR compliance at most organizations has been approached from the top down. Policies and procedures are essential. However, now that most organizations have those in place, it is time to begin revisiting GDPR programs from the bottom up — starting with the systems where data lives, to ensure cohesive alignment between the existing privacy policies, business requirements, and the IT systems and infrastructure.