Many conversations around GDPR seem to follow a similar sequence as Dave Lister’s experience in the opening episode of Red Dwarf.
Holly: They’re all dead. Everybody’s dead, Dave.
Lister: Peterson isn’t, is he?
Holly: Everybody’s dead, Dave!
Lister: Not Chen!
Holly: Gordon Bennett! Yes, Chen. Everyone. Everybody’s dead, Dave!
Holly: He’s dead, Dave. Everybody is dead. Everybody is dead, Dave.
Lister: Wait. Are you trying to tell me everybody’s dead?
So, yes, GDPR affects all kinds of data. Big data, small data, structured and unstructured data, online and offline, backup and archive, open or grey, digital or paper-based data. It’s all data, and therefore GDPR applies to it.
This simultaneously makes the task of GDPR compliance very easy, and very difficult. Easy, because decision makers don’t have to worry about what data is involved. And very difficult, because few organizations have a clear handle on what data is stored where. That filing cabinet in the back of a warehouse, the stack of old tapes on top of a cupboard, that rack of servers which were turned off… yeah, all of them.
Because that’s not the focus of GDPR, you know, the technology gubbins, complexity and all that. The regulation quite deliberately focuses on personally identifiable information and its potential impact on people, rather than worrying about the particular ramifications of this or that historical solution, process or lack of one.
At the same time, this does suggest quite a challenge. “But I don’t know what I have!” is a fair response, even if it is tinged with an element panic. Here’s some other good news however — laws around data protection, discovery, disclosure and so on never distinguished between the media upon which data was stored, nor its location.
You were always liable, and still are. The difference is that we now have a more consistent framework (which means less loopholes), a likelihood of stronger enforcement and indeed, potentially bigger fines. To whit, one conversation I had with a local business: “So, this is all stuff we should have been doing anyway?” Indeed.
Of course, this doesn’t make it any easier. It is unsurprising that technology companies and consulting firms, legal advisors and other third parties are lining up to help us all deal with the situation: supply is created by, and is doing its level best to catalyse, demand. Search and information management tools vendors are making hay, and frankly, rightly so if they solve a problem.
If I had one criticism however, it is that standard IT vendor and consulting trick of only asking the questions they can answer. When you have a hammer, all the world is a nail, goes the adage. Even a nail-filled world may seem attractive for purveyors of fine hammers, they should still be asking to what purpose the nails are to be used.
To whit for example, KPMG’s quick scan of unstructured data to identify (say) credit card numbers. Sure, it may serve a purpose. But the rhetoric — “Complete coverage, get in control over unstructured data on premises and in the cloud.” implies that a single piece of (no doubt clever) pattern matching software can somehow solve a goodly element of your GDPR woes.
As I have written before, if you want to get there, don’t start from the place which looks at data and says “Is this bit OK? What about this bit?” A better starting point is the regulation, its rules around the kinds of data you can process and why, as documented by the Information Commissioner’s Office (ICO). The “lawful bases” offer a great deal of clarity, and start discussions from the right point.
Mapping an understanding of what you want to do with data, against what data you need, is not cause for concern. In the vast majority of cases, this is no different to what you would do when developing an information management strategy, undertaking a process modelling exercise, or otherwise understanding what you need to do business efficiently and effectively.
The thing GDPR rules out is use of personal data people didn’t want you to have, to fulfil purposes they didn’t want you to achieve. For example, use of ‘cold lists’ by direct marketing agencies may become more trouble than it is worth — both the agency, and the organization contracting them, become culpable. Equally, selling someone’s data against their will. That sort of thing.
But meanwhile, if you were thinking of harvesting maximum amounts of data about, well, anybody, because you were thinking you could be monetizing or otherwise leveraging it, or you were buying data from others and looking to use it to sell people things, goods or services, you should probably look for other ways to make money that are less, ahm, exploitative.
But if you have concerns about GDPR, and you are ‘just’ a traditional business doing traditional kinds of things, you have an opportunity to revisit your information management strategy, policies and so on. If these are out of date, chances are your business is running less efficiently than it could be so, how about spending to save, building in compliance in the process?
Across the board right now, you can get up to speed with what GDPR means for the kind of business you run, using the free helplines the regulators (such as the ICO) offer. If you are concerned, speak to a lawyer. And indeed, talk to vendors and consulting firms about how they are helping their customers, but be aware that their perspective will link to the solutions they offer.
Thank you to Criteo and Veritas, whose briefings and articles were very useful background when writing this article. As an online display advertising firm, Criteo is keenly aware of questions around personal vs pseudonymous data, as well as the legal bases for processing. Veritas offers solutions for analysis of unstructured data sources, and has GDPR modules and methodologies available.