Imagine the world after the May 25, 2018 General Data Protection Regulation (GDPR) enforcement date has passed. “Clare Smith”, one of your customers who resides in London, submits a Subject Access Request (SAR) asking what data your company has on her. What is the first thing you, as a Data Controller, will do to respond? Are you even able to respond in a timely fashion, defined by GDPR as 30 days. More importantly, do you know where Clare’s information actually is throughout all of your infrastructure, databases, files, attachments, backups, and third-party Processors?
Without a data inventory and a scalable process for responding to SARs, this individual request could become a time-consuming fire drill. Just think about how many people it would take across your company and your third-party vendors to process Clare’s request. This example focuses on just one of the multiple Data Subject Rights that you must already comply with for GDPR. What happens when more and more EU Data Subjects begin to exercise their rights under GDPR? Do you have a scalable solution to respond to these requests within the standard 30-day window?
Inventorying data, a process also referred to as Data Mapping under the GDPR, is a process that helps companies better understand their landscape of what personal data they have and, quite honestly, come to grips with it. Performing this exercise forces companies to think about how data flows in, through, and out of their business. At OwnBackup, we consider Data Mapping from data capture to data deletion, the entire Data Lifecycle. Once you have mapped out your Data Lifecycle, then you can begin to practically work out what your GDPR obligations and requirements are, as well as more efficiently respond to Subject Access Requests.
Why else is this important? A key aspect upon which GDPR is founded is Data Transparency. Data Transparency not only instills trust into your personal data processes, that should be built around privacy by design, but also how you empower your Data Subjects to understand your data processing activities. This includes providing mechanisms for them to challenge the accuracy of their data, object to processing of their data, and remove their data altogether.
If you have not started to prepare, now is the time to roll up your sleeves and kickoff your data inventory mapping exercise. Companies often struggle to understand their GDPR requirements if they have not yet analyzed what data they have, how it is classified, how sensitive the data is, where the data is stored, with whom it is shared, and how it is backed up.
Pro-tip: Documenting your data inventory process helps you prepare for the GDPR Accountability Principle. Under this principle, companies processing EU Subject Data are required to demonstrate and prove how they are compliant with GDPR.
After putting together your data inventory, define whether or not you can easily locate Data Subject information across all those databases, backups, attachments, and third-party Processors. If the process will be too difficult and time-consuming at scale, implementing a new process or purchasing a new solution to allow you to easily query your data might be a good option. Once you identify all of the places you store Personal Data, you will need to be able to efficiently and easily query them. When selecting data storage or management solutions, whether it be a CRM, a database, or a backup, you’ll need to ensure the solution selected has powerful, extensive search capabilities.
Now that you’ve thought through why you need a GDPR data inventory and mapping process, let’s go back to our example with Clare Smith...You can now easily locate where Clare’s information is across your databases, backups, attachments, and third-party processors, and respond to Clare well within the standard 30 day deadline.
As Data Controllers, you’re responsible for maintaining an inventory of personal data, including the data in your archives. This can be one of the more difficult obligations of a Data Controller, particularly because you must not only furnish your Data Subject(s) with details of how their data is handled, shared, and used, but also provide notification without undue delay.
Data Controllers using OwnBackup will be able to perform global personal data searches across their archives, identifying the region and attachments in which the Personal Data resides. This will be possible on-demand and within minutes.
View the GDPR Right to be Forgotten - Compliance for your Backups webinar recording to learn more about maintaining Data Subject transparency by setting up a Data Inventory.
Find out more about OwnBackup’s GDPR data protection solution and find answers to some of the most commonly asked questions that we’ve received at our GDPR webpage.