Have you been mandated to “do something about GDPR?” It seems like everyone is jumping on the GDPR (General Data Protection) bandwagon lately. It’s happened before in our market and, really, it happens all the time. GDPR is the latest example in a long line of “shiny objects,” the latest buzzworthy trends that capture market attention.
A new thing arrives, everyone jumps on it and it becomes impossible to understand what the market is actually saying. As a relative newcomer to marketing, the first time I saw this happen was around BIG DATA. Suddenly, everyone (apparently) needed BIG DATA. More than half of my calls included some BIG DATA throw away question and, years on, I’m convinced that the term was unhelpful by any practical measure. I’d offer that the current “Internet of Things” trend is heading the same way (if it’s not there already). Now, GDPR is showing many of the same hallmarks, with many vendors offering their version of a “solution.”
This creates a wave of vendors that feel compelled to have a GDPR message. After all, their competitors do. Very quickly, what even constitutes a GDPR solution becomes difficult to discern. With that in mind, we would like to bring some clarity to the picture. At the very least, we’ll try not to further muddy the waters.
We like to consider GDPR compliance, simply, as having four main pieces:
- The first two pieces are about understanding the data you hold. We divide this point into two because dealing with loose files (unstructured data) is very different from dealing with structured data in business database applications.
- The next piece is about knowing the individuals you hold data about.
- The last is about knowing whether, or not, those individuals have consented to that data being held for any given use.
The good news is that these pieces really are discrete, in that there are solutions that serve each well. The harder part is understanding how those solutions are joined together. In addition, you can reason about how to get started in each case and consider the value of each.
From our perspective, experience shows that the ability to understand data is a fundamental building block for any information problem. Surprise! GDPR is no different. So a sensible and achievable first step should be to understand what types of personal data you hold. This establishes the extent to which you are at risk from a GDPR type violation. More importantly, it gives you an idea of what data you actually hold rather than what you “think” you hold. This part is really important, since these regulations come about because this data tends to be very poorly controlled. That means you will almost certainly hold poorly controlled personal data, even if you think you don’t. Across hundreds of customers, we have been consistently surprised by the gap here.
For business databases and applications—the structured data—a top-down audit can effectively reveal the extent of data held. For unstructured data, this process is much harder. Repositories such as file shares, cloud stores, file sync service, SharePoint and Google Drive all have potential exposure, and it’s impossible to discover the extent using a top-down approach. Solutions like our Content Compliance solution are designed to do this from the bottom up, and can effectively run to ground personal data lying around in these locations.
With GDPR in mind, you can clearly make preparations with the other pieces of the jigsaw, too. But, frankly, the jury is out as to what will really be needed in order to establish ideas of individual identity across any given organization, or how to build a reliable picture of consent for each. Regardless, our experience remains consistent: You must understand your data to even begin thinking about managing it. This can cost-effectively be done today, and has the real benefit of sizing the extent to which you’re at risk. That means you can plan your engagement with the new GDPR regulations armed with facts rather than supposition.