This is the 12th post in a series on privacy by Andrew Pery. You might also be interested in:
- The Re-Permissioning Dilemma Under GDPR
- Data Privacy and Open Data: Secondary Uses under GDPR
- Three Critical Steps for GDPR Compliance
- Mitigate Data Privacy and Security Risks with Machine Learning
- The Privacy and Security Dichotomy
- GDPR and Cross Border Data Flows between the EU and the US: Current State of the Law
- Privacy by Design: The Intersection of Law and Technology
- What Do the GDPR and new Privacy Laws Mean for U.S. Companies?
- Balancing Privacy Rights with Social Utility in the Age of the Internet of Things.
- GDPR Compliance Starts with Data Discovery
- GDPR and the Data Governance Imperative
Digital data pervades virtually every aspect of our lives. IDC estimates that by 2025 digital data will grow to 163 zettabytes, 80% of which will be created by businesses. From autonomous cars, robotic process automation, intelligent personal assistants to smart home devices, the world around us is undergoing a fundamental change, transforming the way we live, work, and play.
The Changing Nature of Personally Identifiable Information
The confluence of big data, cloud computing, social media, mobile devices collect and aggregate diverse data sets, which taken together, such as internet search habits and GPS tracking information may expose personally identifiable information.
There is an even more vexing challenge - data analytics - powerful algorithms that cut through vast amounts of data. Predictive analytics is fundamentally changing the definition of data. It consists of not only consent based data collected from data subjects but also extends to observed data, for example, video data from surveillance sensors and inferred data, aggregated from diverse data sets that creates a digital fingerprint of data subject sentiments, preferences and behaviors. Increasing use of machine learning technologies is also generating vast amounts of data about individuals without their knowledge let alone affirmative consent, as required by GDPR.
The GDPR Accountability Principle
The General Data Protection Regulation considerably strengthens the accountability principle which requires organizations to institute “appropriate technical and organizational measures" to safeguard privacy rights, maintain a record of processing activities and have in place adequate internal controls to demonstrate compliance if requested by supervisory authorities. Compliance with the accountability principle implies having better visibility to the data, how it is collected and processed and the steps taken to minimize the amount of personal information collected.
The Information Governance Imperative
It is then not surprising that a recently published survey found that 64% of organizations are planning to overhaul their business processes given GDPRs onerous enforcement mechanisms, fines and penalties. However, 47% of the same survey participants do not have a clear understanding of how to prioritize their compliance initiatives.
So where do you begin your governance journey?
A useful starting point is to consider a unified information governance strategy based on the over-arching principle that safeguarding privacy rights is not just about risk mitigation but also an opportunity to strengthen corporate brand and foster enduring customer loyalty.
A holistic information governance strategy demands cross functional participation from the business leadership. A potentially useful governance framework is the IGRM reference model. This model provides a framework for aligning the key business functions so that:
- The business may leverage data as a competitive asset;
- IT may improve operational efficiencies in the management of data; and
- Legal may mitigate compliance risk and proactively adhere to regulatory requirements.
A large percentage of data now lives beyond traditional organizational boundaries – in the cloud, IoT and social media with its inherent challenges to manage and harness. A recent survey found that for 71% of organizations identification of data sources and their location is their primary challenge.
I came across an excellent visual resource that maps out the data discovery requirements associated with GDPR compliance obligations. The data discovery map provides a simple representation of what organizations need to consider in identifying their data sources, their location and classification.
Article 30 of GDPR requires organizations to map out how personal information of collected, processed and to whom such information is disclosed and the measures taken to collect information that is limited to what is necessary.
There are a number of tools and privacy enhancing technologies available to support the data discovery and mapping requirements under GDPR.
One of the potentially more daunting tasks is review of existing internal policies and vendor and agreements to ensure compliance with GDPR obligations and then take remediation steps to address gaps. This may be a time consuming and tedious process which may be streamlined through the use of machine learning technologies that extract meaning from documents much the same way as humans do. For example, Named Entity Recognition automatically identifies relevant nouns (people, places, and organizations) within agreements and extracts them for analysis purposes. Natural Language Processing helps organizations infer meaning from agreements in context by analyzing the co-occurrence of contract clauses and their relationships within and between documents.
Compliance with GDPR begins and ends with proactive information governance best practices. In many ways, if your organization subscribes to the Generally Accepted Recordkeeping Principles then GDPR compliance initiatives are easier to embrace.
Want more information?
About the author: Andrew Pery is a marketing executive with over 25 years of experience in the high technology sector focusing on content management and business process automation. Andrew holds a Masters of Law degree with Distinction from Northwestern University is a Certified Information Privacy Professional (CIPP/C) and a Certified Information Professional (CIP/AIIM).