GDPR compliance: Key steps in the GDPR compliance journey
Wipro's Murthy Vedula examines some of the lessons learnt from running GDPR compliance projects
In the past year or so, companies throughout Europe and beyond have been involved in various projects to achieve organisation-wide compliance with the EU's General Data Protection Regulation (GDPR).
Quite a few activities fall under the scope of the IT department since IT manages the applications and the infrastructure in which much of the private data resides. Therefore, IT teams have initiated many projects that are drawn from an organisation's data privacy strategy in the wake of GDPR.
Around one-third of enterprise applications and platforms contain what is termed as personal and/or sensitive personal data
Even six months after GDPR came in, not many IT teams can confidently say they really are where they need to be to ensure full compliance. But some IT teams though have carefully analysed the scope, their current state and the required projects from a GDPR standpoint, and have implemented such projects in a streamlined, phased manner to provide the necessary GDPR assurance to the organisation's legal team.
Starting point: Reviewing the application landscape
The starting point for the IT team is the IT application landscape. In a typical large or medium-sized organisation, this is comprised of several hundred applications and platforms.
Empirically, around one-third of enterprise applications and platforms contain what is termed as personal and/or sensitive personal data. Controls and capabilities from a GDPR standpoint are to be focussed on these applications and platforms. The IT landscape snapshot itself, as taken from the enterprise architecture toolsets such as configuration management databases (CMDB), may not be fully up to date. Hence, it is worthwhile to review this snapshot to come up with the scope.
E-discovery of personal data
Having identified the applications and platforms, it is necessary to determine the nature of personal data in these applications to draw up a personal data register that will need to be maintained. Conducting this exercise of data discovery over several hundred applications accurately in a limited period is a daunting task.
Fortunately, there exist e-discovery tools that can scan applications - containing structured and/or unstructured data - and report out the personal data elements. Combining meta-data search with data discovery rules applied to sample data sets within the application, these e-discovery tools can provide a near complete personal data heat map of the applications.
The GDPR capability register is a living document that needs to be continually updated
There are a few options for e-discovery tools available, such as BigID, Stored IQ, INFA S@S and so on. The choice of the tool in an enterprise is dependent on the IT landscape at hand.
Since the setting up of e-discovery tools within non-production environments of all applications may not be feasible (due to competing projects vying for them at any point in time) it is a good idea to attempt manual personal data discovery on applications with a smaller data footprint. One needs to be aware that e-discovery can be a resource-hungry process - both in terms of compute power and memory - and resources need to be provisioned accordingly.
It is also important to identify personal data flow among connected applications. This data flow needs to be maintained as an artefact in the enterprise architecture repository. The report of personal data across connected applications is utilised during data subject access requests (DSAR).
There are tools that utilise the mapping to provide an automated report containing personal data of a data subject drawn from multiple connected applications. Generating a DSAR in this fashion is faster, accurate and lends much more credence to the process.
GDPR capability register
The next step in the process is to analyse the GDPR capabilities needed in the applications that contain personal data. The capabilities needed flow directly from the rights of the data subject and thus the obligations on the data controller or processor. The presence of these capabilities in each application needs to be used as a yardstick to measure the GDPR completeness of the application.
Any analysis done on the application capabilities needs to be duly evidenced. This shall be useful during an audit of GDPR compliance in the organisation. Tools such as GRC Archer can serve as a register of application's GDPR capabilities.
E-discovery can be a resource-hungry process - both in terms of compute power and memory - and resources need to be provisioned accordingly
During the analysis of GDPR capabilities of applications, if any shortfalls are observed then correcting or remediating features need to be implemented. In some cases, this may even require complete revamping of the application. However, the most common cases of such remediation could be managing consent in a better manner and enabling features to implement the ‘right to be forgotten'.
Data retention management
The right to be forgotten and the legal basis to hold data is discussed in detail in various discussions in various forums of the International Association of Privacy Professionals (IAPP).
Even when the legal basis ends and the personal data cannot be legally retained any longer, there have been instances where the applications do not have features to remove such data. This affects the ‘storage limitation' requirement of GDPR. Many long-running GDPR projects deal with implementing this data retention management.
They are also some of the more complex ones requiring thorough testing and longer timelines. The business teams are often reluctant to let go of the data even when the legal basis is no longer valid. This ‘keep the data, just in case' mindset needs to be done away with and all data retention requirements need to be fully documented, approved and complied with.
Privacy by design
IT systems' compliance with GDPR is not an activity that can be completed once and be forgotten. The GDPR capability register is a living document that needs to be continually updated with the GDPR capabilities of the applications in the IT landscape as and when any design changes are done to implement new applications or modify existing ones. This is the idea behind the ‘privacy by design' principle. All the teams in an organisation including the IT team, are in this for the long haul as far as GDPR is concerned because the stakes are so much higher.
Murthy Vedula is a consultant with Wipro Technologies, specialising in energy and power utilities. Over the past year, Vedula has been engaged in a number of GDPR-related projects. He can be contacted by email
What can artificial intelligence and machine learning do for you and your organisation?
If you don't know yet, or want to make sure that you're not missing out, Computing's first AI & Machine Learning Live event is for you. To find out more, check out the Computing AI & Machine Learning Live website. Attendance is FREE to qualifying IT leaders and senior IT pros, but places are going fast