A recent IDC survey indicated that the General Data Protection Regulation (GDPR) is confusing. Why is this? Just under 90 pages long, the regulations aren’t that large; the document is certainly no "War and Peace." With this in mind, I’ve put together my view on why this seems to be the case, and a few actions you can take to deal with it.
It puts you outside your comfort zone
The likelihood is that the GDPR affects every part of your organization; it cuts across many different disciplines and departments. The core of the GDPR is added to significantly by the recitals that provide definitions and it is likely to stretch even a dedicated Compliance Officer. Unless the program lead for the GDPR is a Compliance Officer, that person is unlikely to have enough knowledge to understand its process impact for every other department, or the full extent of the business and technical challenges it poses.
‘I’m not a lawyer’
If you don’t have in-house legal counsel playing a lead role in your GDPR program, gaining access to legal help with the GDPR isn’t an option you can avoid, especially if your organization has more than 250 employees or processes the data of children. Even if you get help, translating that into the effect on your business can still be tricky. For example, more and more businesses use automated decision making and customer profiling. The rules for this have been tightened significantly. Un-picking the actual logic or AI that you use and applying the regulations to it may not be easy. Or it may add constraints that mean more human intervention.
GDPR is sometimes vague
When we’re given instructions, it always helps if they are clear. While many parts of the GDPR are indeed clear, the regulations also use non-specific terms such as ‘reasonable,' ‘adequate’ or ‘large.' This means you have to take a view on just how much action to take to mitigate risk. The ‘Right To Be Forgotten’ request is a great example. After a request, should you delete a subject’s data from backups too? Or is embedding a process to re-delete after a recovery good enough? Should you eradicate tape as your long-term storage media? The decision is yours.
GDPR doesn’t take account of current technology
Data proliferation has a way of dispersing Personally Identifiable Information (PII) to every corner of your IT systems (including cloud and SaaS), regardless of any rules you put in place for employees to follow. Finding and profiling this data to assess your risk is tricky, let alone deleting it if required to. Additionally, profiling can’t be a one-off event and should be ongoing. Old ways of managing consent, storing and processing data will have to change because of the GDPR, whether your systems and applications are ready or not.
It defines a new role: director of business prevention
Of course, the GDPR doesn’t really do this. However, the GDPR does say you must employ the services of a Data Protection Officer if you perform ‘large scale’ processing or are a public body. This individual carries the can for privacy in your organisation; is your interface with the regulator; and must be free of conflicts of interest from those who have a vested interest in processing personal data. You can be sure they will say ‘no’ pretty often.
Neutralise the confusion
With 51 different ways to get fined for the GDPR1, it’s important to neutralise the confusion and resulting inaction. If you haven’t started yet, begin now and get your board to sanction the resources for the GDPR. Make sure you get a representative from every department involved and ensure you run a Data Protection Impact Assessment. Commvault runs workshops that can get you started or accelerate your GDPR journey. We have number of specialist partners with GDPR skills. Learn more on our GDPR page. You can also access the IDC whitepaper on the "Five Steps to GDPR Compliance."
1GDPR: 51 WAYS TO GET INTO TROUBLE WITH THE GDPR (AND IT WILL COST YOU MILLIONS), The Data Protection Network, July 2017