3 key challenges for the new GDPR compliance officer

News | 27.04.2018

With the May 25 General Data Protection Regulation deadline almost upon us, some organizations are still searching for the right talent to manage their compliance strategies.

Whether an organization is looking for a data protection officer, a managed services provider, a consultant or a chief privacy officer, an understanding of GDPR’s technological challenges is essential. Finding professionals who realize the underlying components of data privacy and what makes them so difficult to implement could save organizations from massive sanctions.

Here then are three challenges that any GDPR professional or vendor should understand.

GDPR is a whole different animal

GDPR’s requirement to find and potentially remediate personal data upon request—articles 15 to 18— has drawn comparisons to eDiscovery. This is understandable, and on the surface the two are similar: Both processes involve searching for relevant documents in enterprise repositories and producing them. As a result, some organizations and vendors are approaching GDPR searches as somewhat of an extension of eDiscovery. However, there are fundamental differences in the requirements of the two that make GDPR searches far more difficult.

For instance, eDiscovery requires you to find a single copy of each relevant document; GDPR requires you to find every copy. In eDiscovery you only have to search a small portion of enterprise repositories related to the custodian; GDPR requires you to search across the entire enterprise. There’s a long list of differences between eDiscovery and GDPR searches that make most eDiscovery tools on their own insufficient.

In short, GDPR is in many ways unlike anything we’ve seen. Therefore, when hiring for GDPR it is prudent to ensure a candidate is aware of the aspects in which GDPR and eDiscovery depart. A keen understanding in this area will be an indicator of a candidate’s success.

GDPR respects no silos

As information management is concerned, today’s organizations are largely silo-based. Data is stored in numerous repositories across the enterprise, including:

  • Format-based silos (email, file share, SharePoint, ECM, etc.)
  • Geographical location-based silos
  • Management-based silos (cloud vs. hybrid, in place vs. archive)
  • Function-based silos (eDiscovery, regulatory compliance, records management, etc.)

The problem is that each of these silos often has distinct management policies, a unique search engine, and there exists a general lack of coordination between them all. Bridging across these silos is becoming one of the greatest IT challenges of our time, and GDPR compliance is heavily impacted by this challenge. In fact, the two puzzles are interrelated.

How does an organization search across each repository simultaneously to find a subject’s personal data, and when they find it, how can they quickly understand the purposes for which it’s being used across the enterprise?

Data may have several duplicates being used for different functions, and each of the functions may have different policies associated with it. In other words, records management may call to retain a document for X number of years while regulatory compliance calls to retain it for Y number of years, and now GDPR calls to delete it. How can an organization reconcile conflicting policies between these function-based silos if there isn’t adequate communication between them?

When hiring a GDPR professional, he or she should have a grasp on the obstacles that face siloed architectures, and their impact on GDPR. Unfortunately, it’s rare to find someone who truly realizes these issue, let alone someone who has a solution.

True privacy is complicated

There are two camps when it comes to data privacy. On one side there are those that think privacy is preserved by leaving personal data untouched. This is an intuitive approach because it seems natural that to maintain privacy, one should not go digging around for personal information. However, the issue is that when personal data exists that is not accounted for, it will inevitably be accessed by someone, and this can have negative consequences.

For instance, data that is meant to be kept protected might end up being processed for analytics purposes, leading to several potential liabilities, including GDPR violations.

A better is one in which organizations index all documents as they’re created and apply rules-based policies to manage retention and remediation. Personal data can be readily searched, managed, and given access privileges to ensure it isn’t misused. While this holistic system of information governance calls for a degree of initial intrusion into the content of all documents, it ultimately protects the privacy of data subjects because documents are only used for legitimate purposes, and personal data can be remediated when needed.

These are some of the fundamental components of data privacy that few GDPR professionals grasp. Finding one who does could make all the difference.