David and Goliath of GDPR — Part 2
This is second in our series of articles on GDPR. Check our previous article here on GDPR Data Inventory, Data Processing, and Right To Be Forgotten.
“Our Information Security is designed to prevent customer data downloads, now they want me to automate downloading it!” the IT architect said with bewilderment.
50 years ago, doctors and dentists were recommending smoking. Of course, we now know that it was bad advise, and society has had an about-face. In this post, let us take a look at some GDPR principles that may be perceived as an ‘about face’ to the tenets of the traditional Information Security and Policies.
Again, roll with us here. The way we have structured these articles, “David” stands for the little but very powerful things that can go a long way. “Goliath” is for the seemingly more difficult, messier, and larger issues.
And… surprise surprise… David and Goliath play on the same team. Together, they vanquish that big bad enemy of non-compliance with GDPR! Oh, and if it wasn’t already evident, we truly believe that the enemy is non-compliance with GDPR. We believe that GDPR itself is a great friend for the responsible corporations of this world.
Data Minimization
As it says on the tin, just use only as much data as needed to accomplish a specific task. Also, no double dipping — data collected for a given purpose cannot be reused for another purpose without additional consent.
The idea is to have reasonability of purpose and not treat personal data as a ‘free for all’ commodity.
- David: Business process changes around gathering additional personal data attributes such as lead lists. For example, if you have marketing emails going to leads, consider removing all other elements that have no clearly defined purpose. Also, do away with any unnecessary data enrichment. These changes may sound harder than they actually are.
Here is a thought-provoking article that applies to enterprises and startups alike.
- Goliath: Technology solutions are designed to maximize data retention and actively prevent data deletion, so minimization and data deletion is counter-intuitive to its inherent architecture. Modifying business rules to remove required fields, particularly for unstructured data managed by code (Mainframe flat files), and changes to data aggregation/integration are hard problems to solve. These may take longer than planned.
Storage Limitation and Data Retention
Continuing with the theme of reasonability of purpose, retention is another important principle. Store personal data only for a legitimate duration and destroy it once its purpose is attained. Keeping data because you can and wearing Bell Bottoms are both out of fashion and dangerous. Trust me, those flares can get stuck in escalators leaving you exposed!
Personal data without purpose and consent is a corporate liability, an accident waiting to happen, a ticking time bomb, if you will.
- David: Automation of data expiration, deletion, or de-identification/obfuscation is one of the simplest steps for most modern systems. Run a batch job, a scheduler, or whatever your systems support, and just get it done. For example, automate the removal of ex-customers data once the contractual and legal obligations are done.
Documents on this website are free for reuse as templates to model retention policies.
Goliath: It is the four-letter ‘D’ word ‘Data’ as in D-Warehouses, D-Marts, D-Lakes and D-Back ups, D-Archives, as well as other miscellaneous information such as emails, social media messages, Photos, Videos, IP Addresses, Device, and sensor data. These can be harder problems to solve. Start by bringing transparency on this upfront with the data subjects if there is a larger timeline around it.
For Salesforce, you can use Compliance Cloud to de-identify records directly, or via automation such as Process Builder/Scheduled Jobs (coming soon in our next release).
Data Portability
Clearly, as the name says…Gimme my data! And in a format that it is usable with other providers. Few other GDPR principles are as controversial for businesses as this because, at a glance, it makes customer churn easier. However, data portability is a big win for consumers and a boon for customer-centric companies.
Fixing the root cause that prompts customers to ask for their data can make portability an on-ramp, instead of an easier churn.
- David: Standard business apps that can run reports and extract data as .csv or pdf files can make some parts of customer data portability easy. Combining that with specific guidance on sensitive data such as here is a great way to give customers another reason to consider staying. Portability standards such as Google’s and UK’s Midata are worth looking at and implementing for data portability.
This article from EFF is a good read for more on Data Portability.
- Goliath: Perhaps the biggest challenge for Portability is to be able to bring it all together, especially if you are not a social networking giant. Customer data is littered across enterprise systems, and often runs into challenges when you consider unstructured data (again). Consider implementing third-party systems that facilitate portability, but plan for grey areas, especially when the information was shared with more than one data subject.
tl;dr: Some of GDPR’s well-intentioned principles run counter to the way systems have been designed. Plan to expect technical and business challenges in meeting these requirements. However, your organization can drive GDPR implementation to its advantage and offer a superior customer experience by embracing a transparent communication strategy.
PlumCloud Labs is engaged in the GDPR space. Contact us at info@cloudcompliance.app if you have any questions or are interested in discussing this some more.
Also, GDPR is an incredibly large topic and we have barely scratched the surface here. More to follow in the next set of articles in this series. Meanwhile, please share your thoughts on what we’ve covered here and other GDPR-related topics you would like to hear more about.
