GDPR for Enterprise Organisations

[MIke**]

Hi All,

I'm new to the forum and wanted to pick your brains and gain some knowledge from you all if possible.

As an introduction - I work for an Enterprise Information Management company which has two arms to the business; profession services and technology. I wont name the company or speak much more about them as I'm not here to plug the company in any way possible. This post is so that I can broaden my knowledge on this topic from a real life practical perspective...ie from you guys...

So my questions to you all are this?

Being new to the Information Management industry, I understand the context of how its used, the value and also how technology can also play a huge role in assisting with GDPR. BUT from an enterprise organisation perspective I wanted to understand why organisations have not widely adopted the use of technology to really assist and mitigate risk. From my limited experience, it seems that organisations have been taking a people, process and polices approach ie. training/education people and updating policies /processes to comply with GDPR - does this resonate with your organisations? Has this approach worked? Why haven't and whats preventing you from implementing technology to really solve this issue?

Also, for enterprise organisations - what are the major Information Management issues that people face? I'm fully aware that this answer is all dependant on the role you play within the organisation ie. your challenges are different if you are the CDO, CIO or even CISO etc etc...so what are you main challenges and in an ideal world what would you like a technology platform to solve? In all likelihood you have software in place but if you could click your fingers and have added functionality in an instance...what would that be?

I understand that this is a fairly long post, especially for a first post but i would really appreciate to hear your view on this and to understand things from a totally different perspective.

Mike.

 

[Mike Kilby PC.dp]

Hi Mike,

I think you are right that many organisations have taken a policies/procedures/training point of view but I think that is due to a lack of expertise, either by themselves, or by the advisors that helped them. Unless you can really understand the technologies behind the business and how they can be adapted/integrated/used, you don't see the obvious benefits of a technical solution as part of the overall compliance program.

At Xynics we are Data Specialists with knowledge and experience in Data Integration, Data Processing and Business Intelligence, so we can often advise our clients how a technological solution can help with their GDPR compliance in addition to the policies, procedures, training and support we offer.

The biggest challenge I see is software trying to shoe-horn businesses into a box, but no two businesses work the same, so quite often, the reason the software doesn't work is not because of a lack of functionality, just how that business uses it.

 

[mattk]

I'd be fascinated to know what technology solutions you are aware of for GDPR purposes.

For example, the use of production data in non-production environments was commonplace before GDPR, but very rare today. In my experience, most organisations have rolled their own solution for data scrambling/masking. Two reason for this, firstly there is no COTS that does this reliably and secondly, companies have many different systems which hold GDPR data.

 

[Mike Kilby PC.dp]

I think it depends what data you need to test. When we've been undertaking testing on CRM solutions we've built, we've used random addresses from PAF and random Forename/Surname generation so the resultant data is "real" but also is not the actual people at those addresses.
We've done similar for email addresses and phone numbers, just SQL scripts.

Given that it's been law since the mid 90's that people shouldn't have access to data they done need for their job, I don't see how GDPR changed this.

Arguably (and with the proper Legitimate Interest Assessment), if a test system is not public network facing, it could be in the interests of the business, and the individuals to ensure your systems work as they would expect them to, to use production data, providing that it's only there temporarily and it isn't used for anything other than the testing. I've seen Privacy Policies that list system testing as a valid use of personal data.

As per my reply above, it seems that people without the proper knowledge of how to apply the law have advised people poorly. I wouldn't say incorrectly, they just haven't the experience to apply it logically.

 

[MIke**]

Appreciate you reply and totally agree with you that often it can come down to a lack of expertise but also the fact that the technical solution often seems like such a HUGE task for enterprise organisations to actually take on ie. the resource and time taken to often implement and integrate technology within their current tech stack can take a signification amount of time and money. I guess the main takeaway points for your points would be that technology that is specific for data privacy and security needs to be very flexible in terms of how it integrates into current infrastructure.

Great question but I would rather not mention the company I work for which actually is a fantastic software solution. As I mentioned in my first post, I am honestly not trying to plug the company I am working for - joining this forum and making this post is (full transparency) only for selfish reasons. I want to educate myself on the challenges in this industry from people that are actually in this position so that I gain a better all round knowledge which in turn helps me become better at my role as I will have more understanding from different views. But to elaborate on the points you raised - these solutions that organisations have rolled out themselves only do a small aspect from what the software really should be doing. People that developed and introduced processes from May 2018 made a great start but the main concern is what have they done and how have they dealt with all this legacy data that they have and quite often they have no idea what so ever where all this information is and the scary part is that they don't really know who has access to this information. In an ideal world, the right technology needs to be able to connect with all your sources of information, no matter how many network drives its spread across or where ever they may be stored and to be able classify and secure data and limit access. Software like this does exist and they also have so much more functionality. We can speak in more detail if you would over a PM or via this thread.

 

[Mike Kilby PC.dp]

I'm happy to have a conversation offline, but probably easier over the phone to be fair.

From what I've seen, businesses do have multiple systems (website, crm, marketing systems, warehousing, hr, payroll, accounting) which often don't "talk" to each other.
We tend to recommend a central "Data Warehouse" or other database like their CRM and using tools like StitchData, SQL Integration Services or other ETL/Sync tools to bring all the business data together in one central location.

This has the benefit of allowing every source to be locked down as tight as possible to comply with GDPR, but also there is one controllable source of all information to comply with Subject Requests etc. It also serves as a central Business Intelligence and Reporting source business wide and can also be permissioned as needed for business users to use.

The largest single challenge we've seen is where companies share data with other parties, and ensuring they're all updated if information changes or the individual objects to processing. The centralised solution helps here as it records all activity from all over the business. Far easier to find information if it's all in one repository rather than spread all over the business.

 

[mattk]

Appreciate you reply and totally agree with you that often it can come down to a lack of expertise but also the fact that the technical solution often seems like such a HUGE task for enterprise organisations to actually take on ie. the resource and time taken to often implement and integrate technology within their current tech stack can take a signification amount of time and money. I guess the main takeaway points for your points would be that technology that is specific for data privacy and security needs to be very flexible in terms of how it integrates into current infrastructure.

The company I was working with looked at several areas when it came to implementing GDPR: encryption at rest, encryption in transit, access controls, Subject Access Requests, data deletion/Right to be Forgotten and data for non-production environments.

The domain that I was looking at, HR, consisted of about 30 different systems which was a mix of SaaS and on-prem and included SQL Server and Oracle databases, Windows and Red Hat Linux operating systems.

Therefore unless there is a commercial off-the-shelf solution which could meet the quite distinct capabilities above and across a multitude of different databases and operating systems I don't think it would add any value.

In turn, enterprises now have all their systems up to a level that they consider sufficient for GDPR and they know what any new system that they look to implement into their landscape needs to be capable of: encrypted databases, encrypted interfaces, well-defined access controls, the ability to pull all the data out for a single data subject, the ability to delete data after a given time and for a given subject and the ability to provide some kind of test dataset for non-production environments.

Therefore I think this is the reason why companies are not looking for a technology solution to GDPR and instead choose a piecemeal approach.

 

[MIke**]

Really appreciate your replies.

You all make very valid points and it's been really useful for me to hear these views from a different prospective so thank you all!