Jenny is the CIO of a multinational company who had been tasked with ensuring compliance for when the General Data Protection Regulations (GDPR) come into effect in May 2018. Fortunately, Jenny is very switched on and broke the compliance problem down into five stages to aid the project. In this blog, I will explain how she completed her task.
General Data Protection Regulations (GDPR)
As CIO, information security is a top priority of Jenny’s, so when the GDPR was set back in 2016, she saw it as an opportunity to enhance existing data security processes and the information housed within them. She also knew that the GDPR is part of a wider project to bolster data security, online security and citizens’ rights over their personal data.
Jenny also considered the changes in data, systems and processes as an opportunity to reduce data processing costs and improve data analytics.
In an address to the board, and subsequently a broader communication to all staff, Jenny explained that when it comes down to it, GDPR compliance is about having the ability to store and process personal data securely, responsibly and lawfully.
To accomplish compliance, she set up a team to review processes, systems and data in five stages of an end-to-end data lifecycle, where each stage has a unique requirement when it comes to compliance. The five stages were: data collection, data storage, data recall, data maintenance and data processing.
The five-step GDPR compliance model
1. Data collection
All existing personal data (PD) was identified and the systems and processes surrounding that data logged for review and possible change. Some PD was deemed unnecessary and deleted, and the remaining PD was flagged as needing to be re-permissioned.
Any process which collected new PD was adjusted to record data subject consent for processing or one of the other lawful grounds for processing. Re-permissioned data was updated using a similar process.
2. Data storage
The systems used to store PD were updated to include fields which related to ‘purpose’ for holding the data, legal grounds for processing, processing dates, and actions which could (and in some cases, could not) be performed.
Each systems’ data security, role security, data backup, and access protocols were considered in light of more general data security and found to be sufficient for the purposes of compliance.
3. Data recall
Of particular concern to Jenny was the requirement to provide a detailed report to the data subject upon their request of all data held in the system; why it was being held, where it was being used and how long was left on each data item. Designing and writing the report was not in itself the issue, but moreover, ensuring PD was stored and tagged correctly was essential if the report was to provide the right data. This required extra scrutiny of the data collection and storage processes.
4. Data maintenance
While the data re-permission exercise ensured data was up to date at that time, it was critical that data maintenance processes were considered for all data subjects to have the ability to maintain their records. For in-house data subjects, Jenny allowed self-service for PD updates and updated processes, allowing external subjects to update their data.
5. Data processing
Data should be processed in accordance with the legal grounds set out in the GDPR, and in compliance with the wishes of the data owner. Ensuring the data collected was only used for the purposes given, required changes to processes which called upon the data prior to actions being taken had to be performed with it (such as e-mailing or telephoning the data subject). This required extra data about allowable actions to be collected and stored, which ensured automated processes only picked up compliant data for complaint actions.
The final result
Throughout the GDPR project, Jenny kept true to the spirit of the regulation by considering security, responsibility and lawfulness. Using regular communications with the board, data controllers and users, Jenny was able to inform, educate and incorporate compliant processes.
By breaking the end-to-end data lifecycle down into five stages, the project team was able to deal with the data, systems and processes requiring change in a logical manner.
Having completed the project, Jenny reported that data volumes had reduced considerably, while data quality had risen. With refreshed processes, clean data and lower volumes, data processing costs had reduced, and data analytics were more effective.
How your business can achieve GDPR compliance
To help you better understand the GDPR and how your organization can achieve compliance, we’ve put together the podcast, GDPR: Compliance burden or business opportunity? and the white paper, IFS Information Security: General Data Protection Regulation.
I welcome comments on this or any other topic concerning finance, HCM, CSR and business strategy.
Connect, discuss, and explore using any of the following means:
- Twitter: @stevetreagust
- Email: firstname.lastname@example.org
- Blog: http://blog.ifs.com/author/steve-treagust
- LinkedIn: https://www.linkedin.com/in/stevetreagust
Do you have questions or comments about GDPR compliance?
We’d love to hear them so please leave us a message below.