momius - stock.adobe.com
The EU’s General Data Protection Regulation (GDPR) is upon us. Key to GDPR is the right of those for whom we retain data to know we have data, to question it or even to demand its deletion. These are data subjects, and dealing with requests from from data subjects will form a huge part of GDPR compliance.
In this podcast, Mathieu Gorge, CEO of Vigitrust, talks about the key things you need to do to gain storage compliance with GDPR, so you are ready to deal with data subject requests. This includes a plan to map your data, classify it and access it to meet GDPR requirements.
Antony Adshead: There are less than 50 days until GDPR comes into force. What do we need to know?
Mathieu Gorge: GDPR will come into action on 25 May, so that’s less than 50 days from today.
Now, we often talk about the five stages of denial, or grief, with regard to GDPR.
The first is denial: “It doesn’t apply to me.” Well, it applies to you if you take data pertaining to data subjects in the EU or if you profile data, whether you’re based in the EU or not.
The second one is anger: “Why does GDPR apply to us?” Well, it applies because it’s an extra-territorial regulation, so, regardless of whether you’re based in the EU or not and you’ve got data pertaining to data subjects from Europe, you’re in scope.
The next stage would be bargaining. You can’t really bargain with GDPR. You have to do it all. It’s not really an a la carte thing.
The next stage is, typically, depression: “Are we really going to be ready by 25 May?” If you haven’t started, it might be a bit of a challenge, but as long as you have a roadmap to demonstrate you’re going in that direction, you should be good.
And in the end, you get acceptance, which is: “It will work!”
Having said that, one of the key things that clients ask about at the moment is: “What about data subject requests?”
This is where an individual data subject sends a request to see all the data you have on them, so they can check if it’s accurate and up to date. They may request deletion of some of that data or even make a challenge [to it].
Adshead: With regard to data subject requests, what is best practice to store data so that organisations can best respond to them?
Gorge: The first thing is really to map out where your data is, map out your own ecosystem, the different silos within the ecosystem and where you may have data pertaining to EU data subjects.
There are different ways you can do that. You can, of course, use the checklists that have been made available by the Information Commissioner’s Office in the UK or the office of the Data Protection Commissioners in Ireland. They will guide you towards mapping your data and trying to find out the data flow.
However, typically, you should probably use data classification tools that allow you to look for data that is covered under GDPR, credit card holder data, banking information, health information.
Then you’ll probably need to use data tagging tools. Remember, if you get a data subject request, you will need to be able to do a search, and unless you have tagged the information, even if you have a classification, you won’t be able to get it in time because the timeframe to go back to the data subject is a matter of weeks.
Read more about GDPR
- New European Union data protection regulations put tough requirements on organisations that store “personally identifiable data”. We look at what is needed to achieve compliance.
- Computer Weekly talks to Mathieu Gorge of Vigitrust about the practical impacts on data storage of the GDPR concepts of “personally identifiable data” and “the right to be forgotten”.
Then comes the concept of secure storage of data. Under GDPR, as is already the case under the old regime, you need to take appropriate security measures to protect the data, based on the impact that the data might have on the data subject.
It’s very important that you know where the data is, how you protect it at rest and in transit, and even potentially in use. Doing this demonstrates what is known as accountability under GDPR and the regulators have already made clear that they’re going to look at storage of data and access to, and protection of, data.
They also talk of the idea of toxic data, which is data that you don’t need to keep. Why do you need to keep it? You’re essentially augmenting your risk, and you shouldn’t do that.
It remains to be seen how the regulators will actually implement GDPR past 25 May. We know of the fines, we know they’re going to do undertakings, we know they may name and shame. But one thing we do know is that they want you to map your data, to classify your data so that you can, in the end, demonstrate accountability which, either way, regardless of GDPR, is good data management and good data hygiene.