Its a common thread for us at Fort Privacy when we open our conversation about data protection and getting prepared for GDPR. People tell us they are surprised ( and often appalled!) at what they find when they start examining their data in detail.
- Finding documents such as old job applications or CVs that date back 20 or 30 years. I can't imagine a 30 year-old-CV that contains anything of relevance to what the same candidate is capable of offering today, can you?
- Finding inappropriate comments on documents. Personal observations about a customers personal grooming standards or appearance believe it or not does pop-up in unexpected places!
- Finding information that they didn't realise they collected. "Hey, we collect our customers' car registration numbers when they stay overnight. Do we ever do anything with those?"
Some of the stories are entertaining, in a creepy sort of way! Pretty much everyone spots the obvious problems with keeping data too long, keeping inappropriate data or keeping unexpected data. The risk of non-compliance with data protection law looms large. The embarrassment factor of having to share a 30-year-old CV that includes some inappropriate interview observations in the event of receiving a subject access request looms larger!
The less obvious problems may not present themselves immediately. What kind of unnecessary costs does the business carry when it is storing, curating and securing data that is out of date? What additional business risks are being created when personal data collected by the business is not well governed - both in terms of what is collected and what is retained by the business? What if the business is collecting data that it has no legal grounds to collect and therefore is operating illegally?
These conversations have lead us to our lightbulb moment - that it's not possible to be fully compliant with GDPR without first building a complete picture of the data that you collect across your entire business.
Our solution is to build a data catalogue.
A data catalogue answers some important questions about the personal data that you process across its lifecycle. It's more than a data discovery exercise because it asks questions that are necessary not just for securing your data but also for ensuring processing complies with data protection regulation.
Data Discovery tells you broadly what data you collect and where you store it. A data catalogue will tell you what data you collect, how you collect it, what your legal basis for processing it is, who you share it with and how long you retain it.
We are convinced that this is the stepping off point for everything else you will do to get to GDPR compliance.
- Your data protection policies will be built on the solid foundation of the full picture of your data processing activities.
- Your Technical and Organisational Measures(TOMS) will be directly relevant to the real data that you process.
- Data classification, data categorisation, data retention, data destruction, data audits - the success of these activities depend on you having an accurate picture of your data in the first place.
- You can only implement efficient processes for dealing with subject access requests once you know what personal data you collect.
So our advice is if you want to get a surprise free journey to GDPR compliance - build yourselves a data catalogue. Or better still call in the experts and have Fort Privacy build you one!