This website uses cookies. By navigating around this site you consent to cookies being stored on your machine

Just how much of my information do you hold?

GDPR aims to bring data protection legislation into line with the new ways that data is now being used. But with the market full of ‘get ready’ chatter, many plans are behind schedule as the intention to implement just in time privacy keeps slipping.
Just how much of my information do you hold?Last month we passed the first anniversary of the EU’s General Data Protection Regulation’s (GDPR) publication in the Official Journal of the European Union. GDPR aims to bring data protection legislation into line with new, previously unforeseen ways that data is now being used and will require all organisations that operate across Europe to apply the same data protection rules. The market is full of ‘get ready’ chatter, but many plans are  behind schedule as the intention to implement just in time privacy keeps slipping.
 
As we continue to burn through the two years + 20 days grace period to 25 May 2018, the Information Commissioner’s Office (ICO) has set out a clear timetable for guidance whilst gearing up for action.
 
Item 2 on the ICO’s to-do list is “You should document what personal data you hold”. This seemingly straightforward task takes on mesmerising complexity as one realises it’s not just official IT, but shadow IT and personal IT that needs to be logged. And it’s not just digital, but physical in all its forms including print-outs, presentations, payslips and more.
 
It quickly becomes clear that cataloguing information held in personal clouds as well as in corporate data stores isn’t quite so simple. So, how do you do it and where do you start?
 
Whilst it is possible to run network discovery tools and entity discovery tools to understand the items in apps, or logon with admin privileges to review the systems estate screen by screen, going back to basics with a simple series of whiteboarding workshops with the people who need to know is often still the best way to get going.
 
But which data do you begin with – customer or colleague? Identity or access entitlement? Profiling or preferences? Product holding or credit worthiness? Clearly, the need is to do it all but there is a big risk of analysis paralysis setting in at worst or a simple loss of engagement at best as you dig into the detail.
 
Getting your head around where consent data sits, how it is shared and how it is compared and cross-referenced across channels and touchpoints through a customer’s journey is an engaging and revealing way-in.
 
In a recent webinar on preparing for the GDPR, BAE Systems compared organisational responses to the new regulation to five animal types – the elephant, the gazelle, the fox, the hedgehog and the ostrich. Whilst the elephant (a minority) is quietly confident at this stage, the gazelle is springing into action as we tick past the year to go mark.
 
top
Nick Rhodes, Business Solutions Privacy Lead 22 May 2017