A Four-Step Process to maintaining GDPR compliance by Infinity CCS
With GDPR now in force, remaining compliant now becomes the priority.
As of last week the DMA estimated that 27% of UK marketers thought their organisation was either behind schedule or had made no plans at all for GDPR compliance.
It’s clear that even beyond the May 25th deadline this is going to be an ongoing concern for marketing, customer experience, and contact centre professionals for years to come.
So what really is the basic minimum an organisation needs to do to become compliant? And then how does it maintain that without overly sapping scarce resources?
From our experience, getting GDPR ready means answering four tricky questions:
– How can I identify then catalogue all the personal and sensitive customer data that I hold across multiple structured, semi-structured and unstructured data sources throughout my IT infrastructure?
– How can I create a single view of all this information to easily identify all data belonging to any particular data subject?
– How do I maintain readiness as we are now post May 25th to respond in a timely manner to all GDPR-related requests from data subjects?
If these challenges remain unsolved then GDPR compliance will be complicated by the need to manually locate data and the constant repetition of effort as staff have to perform searches and collate data from multiple source systems for every GDPR request received.
We have identified a four-step solution that can be put in place relatively quickly and painlessly by any size of organisation.
Data Discovery
The first step is to find out exactly what personal and sensitive data is held and where exactly that data can be found.
This information is found in structured databases, semi-structured XML files, unstructured file systems on individual workstations, cloud-based file systems – you name it, you need to check if there is personal or sensitive data in those systems.
Using deep-dive data mining the location, type, and volume of all personal and sensitive data can be discovered. This search should encompass anywhere that customer information might reside, from your operational systems to customer testimonials to marketing mailing lists to email inboxes to customer complaints and everything in between.
Data discovery software can take all this information and search against it simultaneously, instantly finding and collating everything from siloed data sources.
Cataloguing and Tagging
A clear information tagging strategy is needed to get a clear picture of all the information a company owns and to understand to which data subject each item belongs.
Without some sort of automatic metadata tagging process it is going to take a lot of effort to understand – for example – where you keep IP addresses, who owns the IP address, what you’re using them for, and what the legal basis for processing them is.
Modern data discovery software includes comprehensive metadata cataloguing to help identify what data is held where, why, by whom, and for what reason. Smart business rules and regular expressions can extract structure from unstructured and semi-structured data sources, to help automatically build a ‘big picture’ of personal and sensitive metadata.
So instead of just finding out whose data is held where, you can now find out what types of data are held where.
Creating a Single Data View
Assuming you are not moving all your data into a single central repository – which is probably very difficult for most companies to do – what we are talking about is creating an indexed copy of all your data.
This ‘clipboard’ of the data we discovered in step 1 and then catalogued in step 2 gives you a single view of all your customer data, wherever it is held across your IT infrastructure.
By storing all the files in a unified ‘index’ format the challenges posed by joining different data from different file types and different data sources is easily overcome.
What you now have is a portal for accessing all your data about any individual customer. This central repository should be kept up to date by regularly running the discovery and cataloguing processes on newly acquired data.
Once the audit process has been completed and the organisation’s data is compliant, this inventory continues to refresh and stay up-to-date. This provides a central ‘living’ information management platform that helps maintain ongoing compliance and provides additional value to help users respond to data subject rights and manage data breaches in an efficient and automated manner.
Maintaining Compliance
Ongoing GDPR compliance is achieved by following the new standards for storing and using customers’ personal and sensitive data, and by responding in a timely manner to requests from data subjects.
GDPR establishes lots of rights for individuals – the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and rights in relation to automated decision making and profiling.
To respond to these requests from data subjects, your staff can now trawl through the data without having to log into multiple systems and searching through multiple databases, each of which likely uses a different search method or method of cataloguing.
It also provides a powerful resource for maintaining information security and establishing what data is being processed, whose data it is, why it is being processed and by whom.
Additional Information
For more information on GDPR and Single Customer View, download Infinity CCS’s new e-Guide Click Here
For additional information on Infinity CCS visit their Website