Updated: Nov 10, 2020
This is second in our series of articles on GDPR. Check our previous article here on GDPR Data Inventory, Data Processing and Right To Be Forgotten..
"Our Information Security is designed to prevent customer data downloads, now they want me to automate downloading it!" the IT architect said with bewilderment.
50 years ago, doctors and dentists were recommending smoking. Of course, we now know that it was bad advise, and the society has had an about face. In this post, let us take a look at some GDPR principles that may be perceived as an 'about face' to the tenets of the traditional Information Security and Policies.
Again, roll with us here. The way we have structured these articles, "David" stands for the little but very powerful things that can go a long way. "Goliath" is for the seemingly more difficult, messier and larger issues. And... surprise surprise... David and Goliath play in the same team. Together, they vanquish that big bad enemy of non-compliance with GDPR! Oh, and if it wasn't already evident, we truly believe that the enemy is non-compliance with GDPR. We believe that GDPR itself is a great friend for the responsible corporations of this world.
As it says on the tin, just use only as much data as needed to accomplish a specific task. Also, no double dipping - data collected for a given purpose cannot be re-used for another purpose without additional consent.
The idea is to have reasonability of purpose and not treat personal data as a 'free for all' commodity.
David: Business process changes around gathering additional personal data attributes such as lead lists. For example, if you have marketing emails going to leads, consider removing all other elements that have no clearly defined purpose. Also, do away with any unnecessary data enrichment. These changes may sound harder than they actually are.
Here is a thought provoking article that applies to enterprises and startups alike.
Goliath: Technology solutions are designed to maximize data retention and actively prevent data deletion, so minimization and data deletion is counter-intuitive to its inherent architecture. Modifying business rules to remove required fields, particularly for unstructured data managed by code (Mainframe flat files), and changes to data aggregation / integration are hard problems to solve. These may take longer than planned.
Storage Limitation and Data Retention
Continuing with the theme of reasonability of purpose, retention is another important principle. Store personal data only for a legitimate duration and destroy it once its purpose is attained. Keeping data because you can and wearing Bell Bottoms are both out of fashion and dangerous. Trust me, those flares can get stuck in escalators leaving you exposed!
Personal data without purpose and consent is a corporate liability, an accident waiting to happen, a ticking time bomb, if you will.
David: Automation of data expiration, deletion or de-identification/obfuscation is one of the simplest step for most modern systems. Run a batch job, a scheduler or whatever your systems support and just get it done. For example, automate removal of ex-customers data once the contractual and legal obligations are done.
Documents on this website are free for reuse as templates to model retention policies.
Goliath: It is the four letter 'D' word 'Data' as in D-Warehouses, D-Marts, D-Lakes and D-Back ups, D-Archives, as well as other miscellaneous information such as emails, social media messages, Photos, Videos, IP Addresses, Device and sensor data. These can be harder problems to solve. Start by bringing transparency on these upfront with the data subjects if there is a larger timeline around it.
For Salesforce, you can use Compliance Cloud to de-identify records directly, or via automation such as Process Builder/Scheduled Jobs (coming soon in our next release).
Clearly as the name says...Gimme my data! And in a format that it is usable with other providers. Few other GDPR principles are as controversial for businesses as this because, at a glance, it makes customer churn easier. However, data portability is a big win for consumers and a boon for customer-centric companies.
Fixing the root cause that prompts customers to ask for their data can make portability an on-ramp, instead of an easier churn.
David: Standard business apps that can run reports and extract data as .csv or pdf files can make some part of customer data portability easy. Combine that with specific guidance on the sensitive data such as here is a great way to give customers another reason to consider staying. Portability standards such as Google's and UK's Midata that are worth looking at and implementing for data portability.
This article from EFF is a good read for more on Data Portability.
Goliath: Perhaps the biggest challenge for Portability is to be able to bring it all together, especially if you are not a social networking giant. Customer data is littered across the enterprise systems, and often runs into challenges when you consider unstructured data (again). Consider implementing third party systems that facilitate portability, but plan for grey areas, especially when the information was shared with more than one data subject.
tl;dr: Some of GDPR's well intentioned principles run counter to the way systems have been designed. Plan to expect technical and business challenges in meeting these requirements. However, your organization can drive GDPR implementation to its advantage and offer a superior customer experience by embracing a transparent communication strategy.
PlumCloud Labs is engaged in the GDPR space. Contact me (firstname.lastname@example.org) if you have any questions or are interested in discussing this some more.
Also, GDPR is an incredibly large topic and we have barely scratched the surface here. More to follow in the next set of articles in this series. Meanwhile, please share your thoughts what we've covered here and other GDPR related topics you would like to hear more about.