GDPR came into force in May this year. Now what? Colin Tankard from Digital Pathways takes a look.
So, the General Data Protection Regulation (GDPR) has been introduced and city leaders are happy, knowing their IT people have instigated the right policy statements and that they have adhered to the regulations. But just how happy should they be?
What happens, for example, when someone submits a Subject Access Request (SAR)? The policy may be there, but are the systems in place to locate the data required to respond to an SAR, and has it been properly secured in the first place?
While much of the GDPR is about process, some elements can only be enabled and made manageable or cost-effective with technology. The challenge for city leaders, therefore, is to ensure that systems are in place that will find the data and protect it – not only from potential data breaches but also from incorrect handling by individuals.
GDPR provides citizens with the right to access, rectify, erase or restrict their personal data. Search is core to any technology implemented to support compliance with the regulation. Currently, many organisations will struggle to comply within the stipulated 30-day SAR window, and will breach the rules.
There is a particular risk within smart buildings due to their multitude of different systems. These include scanning of documents such as passports and other forms of ID for the issuing of ID tags, etc.; CCTV and facial recognition, used to scan people in public areas; and legacy facilities management systems which log users’ activities within the building, such as movements or secure room access.
There is a particular risk within smart buildings due to their multitude of different systems.
These systems use multiple file formats such as image, skin tone mapping or even proprietary file formats, especially on older systems. Therefore, scanning emails, Word or PDF documents and picture files – all of which could be in backup vaults as well, which is complex in itself – becomes a major task.
To search all this varied data, in a timeframe that allows a review period before sending to the SAR requester, is no mean feat. The system needs to be able to read all formats; use OCR (optical character recognition) when required; check for duplicates; redact information that is not related to the SAR request (other user identifiers); and produce an audit to use as evidence of the range of the search if an SAR is disputed – i.e. if all of the information anticipated can’t be delivered, some form of proof will be required to demonstrate the scope of the search.
This is not something one can do using Windows Explorer!
However, there is an upside. GDPR will enforce new governance-ready strategies that will not only streamline data handling but also recoup costs through the more intelligent management of data and the optimisation of the data storage footprint across the city.
All sensitive data needs to be identified, moved to a secure location, classified and protected. Technology can help by sorting data into manageable groups, provide comprehensive search to find personal data, manage the disposition of the content, implement automation to ensure an auditable workflow, and secure and protect sensitive data – thus ensuring it does not fall into the wrong hands.
Executing a data discovery project such as this can also mean a saving of up to 40% in storage capacity, resulting in a significant reduction in data centre or third-party storage expenses.
Once discovered, personal data needs to be managed according to the data owner’s request. Deleting, migrating, archiving, restricting and correcting content will become the new normal going forward.
Any sensitive data that is no longer needed on the primary storage network, but must be maintained for long-term retention requirements, should be moved to an archive which can be easily managed and will ensure sensitive data is not left unprotected on the network. Retention policies can be defined, and compliance teams can easily search and manage the content.
Protection of personal data against rogue employees and data breaches is a core aspect of GDPR. Indexing file properties, including activity logs, who has accessed what, and permissions for specific files, facilitates a proactive approach to data protection.
City Data Protection Officers will need to depend on these tools to understand how data is protected, while refining and improving upon processes based on the data management logs and activity. Without an integrated approach there will be too many aspects to the workflow and too many areas that can fail when managing significant volumes of personal data.
Discovering data is always a huge task, often resulting in further work. Using an integrated approach to discovering, classifying and protecting the data, based on automated tools, can greatly reduce the workload and streamline the process, allowing for the final decisions on what to do with the data to be opened to a wider audience, relieving the burden from city IT departments.
Even if we put GDPR to one side, knowing what data is held, where it is and who uses it is key to good data management. Without it, data storage will simply grow and grow, cluttering the network and costing vast amounts in storage solutions. Worse still, it could mean data being held in multiple silos to keep costs down and some data inevitably being lost.
GDPR is not an issue that will simply come to an end. It requires constant monitoring and adjustments. Perhaps that ‘happy feeling’ will need to wait a while yet.