Is GDPR Going to Create More Data Silos?
With the General Data Protection Regulations (GDPR) now in force, it’s worth noting some potential risks going forward to data management. These could in fact lead organisations to duplicate data unnecessarily across their various operations, and all in the name of GDPR compliance. Let’s take a closer look…
Understanding the different data you hold
To begin with, it’s important to understand the different types of data an organisation will work with. In a recent article we described three types of personalised datasets. Here’s a reminder, but if you want to read the article in full click here.
- Personalised data – this is where an organisation can see the personal details such as email addresses
- Anonymised data – this is where there is no way to reference data back to a person
- Pseudonymised data – this is a middle ground where the organisation’s people don’t see personal data but can use a key to link back to the individual if they need to. For example, data which just shows a customer account ID number and total spend.
Different departmental needs for the data
Whilst GDPR is strict on its reasoning for storing data, in many cases departments can provide this justification. For example, the Finance team can justify keeping sales records for up to 7 years, as it is a legal requirement for tax purposes. But that justification doesn’t always apply to other departments. Furthermore not all departments need access to the same level of data detail in their operations.
For example, a marketing department may only want to analyse buying patterns. For this purpose they could complete their task with anonymised or pseudonymised data. To extract this information from the original (personalised) dataset, however, businesses will invariably create a new database, or worse still put the version of the data in a flat file like Excel.
A potential ‘silo’ epidemic
As time goes by, the marketing department’s analysis requirements may change. This could lead to more information and keys being added in to an anonymised or pseudonymised dataset. The risk here is that, eventually, within this dataset it will become easier to identify personal data elements in the records.
On top of this, a file base system – such as an Excel spreadsheet – presents an increased security risk for the organisation. There could be lots of dataset documents across lots of drives.
So, you can see how easily (and in an attempt to honour GDPR), silos and silos of duplicate data could start to appear across organisations. These could then evolve to contain more data fields than was originally intended. This will certainly give Data Protection Officers (DPOs) in organisations a real GDPR headache.
What’s the answer?
As we are right at the start of GDPR compliance and many organisations have (hopefully) got their ‘house’ in order to meet the 25 May deadline, it’s important to ensure ongoing processes continue to protect GDPR compliance.
Those processes must become part of the fabric of an organisation’s way of doing things – and become the norm. What will be crucial is a sensible application of the GDPR principles in the first place. This isn’t easy as clarification from organisations such as the ICO has been rolling out gradually, as the necessary legislation went through Parliament. We also have other regulations such as the PECR (Privacy and Electronic Communications Regulations) running in parallel, which are trying to also align to GDPR but still very much in force. You can understand why people are confused.
Finding reassurance in ISO27011
For reassurance and guidance going forward, organisations may want to consider signing up to ISO27001 and following its policies and procedures. ISO27001 brings a specification for an information security management system (ISMS). It is basically a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.
For organisations like ours, it enables us to retain control and manage how we use data internally. Our auditors check and test these processes every year to ensure that we are keeping on the right track. This really works for us and will do so going forward with GDPR. It gives us a clear picture of where our data comes from, how we want to interrogate it and ensures we use data responsibly within the GDPR criteria.
Can we help?
If you are struggling with data management and want to protect your GDPR compliance going forward, why not contact the team ? We’d be happy to have an initial discussion and explore how we can help. You might also be interested in our data consultancy services. T: 0203 2875387 E: email@example.com