As an IT leader, I get asked this question way too often these day “Are you GDPR (General Data Protection Regulation) compliant?” The short answer is yes and no. Now you might be asking yourself “what kind of answer is that?” My answer is that it’s an honest one. GDPR compliance is not an IT only issue: it is a fundamental organisational change on how a business deals with its data. What this means in short is that IT is the protector of data, not the decision maker on data. That latter responsibility lies with the business… but just what is the overall responsibility when it comes to GDPR?
The common question
Over the past year I've spent a lot of my time educating my user base about GDPR, and why it is so important that the end user knows what it is. Most importantly for them to know what their role around it is. During this time, one question has been asked time and time again, “how long can we keep personal data?”.
According to the GDPR regulation Art.5(1)(e), it states:
"Personal data shall be:
[e] Kept in a form, which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);"
Article 89 (1) states that:
"Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in L 119/84 EN Official Journal of the European Union 4.5.2016 order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner"
Clear as mud?
It's all very confusing because they are saying yes, you can keep personal data, but not forever? That’s not real helpful, right? Well NO! What the regulation is saying is that the business will need to define an acceptable amount of time they need to keep the data, before having it destroyed or removed. This will differ from company to company and depend on the type of services the business offers.
The guidance I give my marketing and sales department is the following:
“as a data controller or data processor you can no longer be allowed or expected to keep information in your sales platform (Database, mailing lists) or CRM systems for as long as possible or until IT informs you that you have run out of space and need to clear down or archive off some data.”
For example, if you have haven't had any contact or done any business with a customer for 24 months its more than likely they aren't going to purchase anything from you any time soon or they have moved on.
If no contact has been made during this period, then it could be deemed it's not necessary to keep their details any longer. But what if they come back to you after you have removed their details from the system? How can you link their account back for historical purposes?
Now this is where pseudonymisation come into play.
Here’s the definition of ‘pseudonymisation’:
The processing of personal data, in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data, are not attributed to an identified or identifiable natural person.
Using the example above you have to remove all personal identifiers (Contact details, Name, email, etc.) from the customer records but retain the customer account number or ID so if the customer does return after 24 months you can link the account back to the customer and have the full history of the services sold, etc.
The nightmare of multiple systems
Bluefin, like most companies, have various systems and applications in place where personal data is kept. This is great from an end user experience perspective, but a nightmare for compliance. The trick here is to be able to identify where all the data is and classify it so that you can go through the process of pseudonymisation.
Some cloud providers or systems already have tools in place, which can help you with this process, but if you’re using a legacy system, you might need to do this manually or potentially look at upgrading your entire system to ensure compliance for the future. Needless to say, this process can be very tedious, time consuming and costly.
Questions for the cloud
If you have discovered some of the personal data is kept on the cloud e.g. Dropbox, Office 365, payroll, etc. you will need to know if they are GDPR compliant. There are a few basic few questions you should be asking:
Are they a data processor or data controller?
How do they store your data?
Do they have a retention policy? eg. Payroll provider
Are they GDPR compliant or what are they doing to be compliant?
If they can't answer any of these basic questions, it may be time to move to another provider.
What continues to amaze me is that companies, some of whom are international names with multibillion $ turnovers, are only starting to address this thorny matter. GDPR is happening, it’s not going away, so if you haven’t already engaged your teams, and just as importantly, the wider business, NOW is definitely the time to start doing so.