[BreachExchange] Achieving GDPR Compliance with Information Governance

[Audrey McNeil]

http://www.dbta.com/Editorial/News-Flashes/Achieving-GDPR-
Compliance-with-Information-Governance-124505.aspx


With the General Data Protection Regulation (GDPR) deadline quickly
approaching in May, many organizations are scrambling to get their customer
information systems in order to meet the requirements. Any company that
collects and processes the personal data of European citizens and residents
– whether names, IP addresses, photos, videos, health and biometric info,
and other types of data – will be impacted.

As specific measures for the storage and treatment of personal customer
data are subject to GDPR regulations, compliance requires a strong
information governance foundation among global enterprises. This ensures
that they can identify where personal data exists in their systems and
assess how to mitigate the associated risks. It also allows companies to
leverage the power of their data beyond GDPR compliance requirements and
transform data into a valuable and ongoing corporate asset.

An effective information governance strategy includes setting, managing and
enforcing data related policies and processes – essentially how a business
collects and uses data. To set themselves up for sustained GDPR compliance,
enterprises can implement key best practices for executing a fool-proof
information governance strategy to protect sensitive personal data and
maintain compliance with all GDPR articles.

TAKE STOCK OF YOUR DATA

Adhering to GDPR compliance requires that organizations have a clear
understanding of where their customer and personal data resides and what it
contains. For examples of specific regulations, organizations must adhere
to GDPR principles relating to personal data processing (Article 5), ensure
right of access by the data subject (Article 15), act on subjects’ right to
erasure or right to be “forgotten” (Article 17), and properly process
personal data requests (Articles 29 and 32). They must also notify any
personal data breaches to a supervisory authority (Article 33) and
communicate any personal data breaches to the data subject (Article 34).

To meet these requirements and begin establishing an effective information
governance initiative for GDPR compliance and beyond, enterprises should
first take an inventory of all customer data and determine the state of it.
This can present a major challenge – particularly with customer information
- because data is literally everywhere. It may be structured or
unstructured and located across multiple cloud and on-premise IT systems. A
proper and exhaustive assessment of data systems will be needed and can be
accomplished with the help of technology.

CENTRALIZE INFORMATION GOVERNANCE PROCESSES

Once organizations have a clear picture of what customer data exists and
where it is stored and located, they should take stock of how it is being
used. Often times, organizations have been collecting customer data for
years but have not determined the exact purpose or use for it. With the
introduction of GDPR, they must now declare the data’s intent and be able
to remove it if needed (Article 17). Control over a person’s data is
shifting back into the individual’s control, and businesses must establish
a centralized way of handling these requests quickly.

A centralized information governance initiative can also help ensure that
customer data will be handled in a lawful manner for the long term (Article
32 – Security of Processing). This strategy validates the location of
specific customer data as well as establishes standardized policies around
obtaining proper agreements and consents from customer. This includes
developing a customer notification system and ensuring proper
bi-directional communication with individuals based on their preferences.
Transparent communication around customer data is paramount.

Besides establishing these data-centric policies, companies should take the
time to educate their staff on proper execution with automation and with a
proper methodology for compliance. An enterprise’s Data Protection Officer
and key data stewards should be able to centrally manage all information
governance policies and track remediation measures for any breaches. Once a
breach is detected, organizations will now have 72 hours to notify the
customer of the breach (Article 34), so having the ability to automatically
recognize the breach and report it properly (Article 33), identify the
exact source/location of the data, and determine the proper reconciliation
steps will be vital.

ESTABLISH DATA QUALITY FROM THE START

Another key success element for GDPR compliance is establishing data
quality from the get-go, including confirming that all customer data is
accurate and up-to-date. A common problem is that customer name variations
can cause duplicate data records. For example, a customer named Bill Wilson
appears this way in one record but in another may appear as William Wilson
or even a variation of either one along with a middle initial. While this
may seem trivial, if the individual has requested to have their data
removed via GDPR regulations, the company may inadvertently be keeping
unlawful personal data if they only delete the data from one of the three
customer records. In this case, they would be considered non-compliant and
subject to heavy penalties.

Most organizations have adopted practices for collecting customer records
for years, but with the new GDPR regulations, they are now being held
accountable for how they store and use that data as it pertains to European
citizens. Fortunately, an information governance initiative can help them
streamline data collection, usage and deletion policies to align with
regulations, as well as establish centralized protocols for handling
breaches. A key added benefit of getting customer data right for GDPR
purposes is that companies can apply the same data quality rigor and
policies to other areas of the business – helping them achieve compliance
for other types of industry regulations and achieve better business
results. They can also utilize their information governance programs to
increase overall growth and efficiency, as well as create new opportunities
for competitive advantage.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180420/d8e6a1d0/attachment.html>