Last week, the DMA estimated that 27% of UK marketers thought their organisation was either behind schedule or had made no plans at all for GDPR compliance. So, what is the basic minimum an organisation needs to do to become GDPR compliant, and then how does it maintain that without overly sapping scarce resources?
From our experience, getting GDPR ready means answering three tricky questions:
- How can I identify then catalogue all the personal and sensitive customer data that I hold across all data sources throughout my IT infrastructure?
- How can I create a single view of all this information to easily identify all data belonging to any particular data subject?
- How do I maintain readiness to respond in a timely manner to all GDPR-related requests?
If these challenges remain unsolved, then GDPR compliance will be complicated by the need to manually locate data and the constant repetition of effort as staff must perform searches and collate data from multiple source systems for every GDPR request received.
To help, we have identified a four-step solution that can be put in place quickly and painlessly by any size of organisation.
The first step is to discover what personal and sensitive data is held where.
This information is found in structured databases, semi-structured XML files, unstructured file systems on individual workstations, cloud-based file systems – you name it, you need to check if there is personal or sensitive data in those systems.
Using deep-dive data mining, the location, type, and volume of all personal and sensitive data can be discovered. This search should encompass anywhere that customer information might reside, from your operational systems to customer testimonials to marketing mailing lists and everything in between.
Data discovery software can take all this information and search against it simultaneously, instantly finding and collating everything from siloed data sources.
Cataloguing and Tagging
A clear information tagging strategy is needed to get a clear picture of all the information a company owns and to understand which data subject each item belongs to.
Modern data discovery software includes metadata cataloguing to help identify what data is held where, why and by whom.
Creating a Single Data View
This means creating an indexed copy of all your data. This ‘clipboard’ of the data we discovered in step 1 and catalogued in step 2 gives you a single view of all your customer data, wherever it is held across your IT infrastructure. What you now have is a portal for accessing all your data about any individual customer.
Once the audit process has been completed and the organisation’s data is compliant, this inventory continues to refresh and stay up-to-date. This provides a central ‘living’ information management platform that helps maintain ongoing compliance and provides additional value to help users respond to data subject rights and manage data breaches in an efficient and automated manner.
Ongoing GDPR compliance is achieved by following the new standards for storing and using customers’ personal and sensitive data, and by responding in a timely manner to requests from data subjects.
GDPR establishes lots of rights for individuals – the right to be informed, the right of access, the right to erasure, the right to object and so on.
To respond to these requests from data subjects, your staff can now trawl through the data without having to log into multiple systems and search through multiple databases.
It also provides a powerful resource for maintaining information security and establishing what data is being processed, whose data it is, why it is being processed and by whom.