GDPR and Data Discovery
As estate agents go, it’s all about location, location, location. We are a couple of months away from GDPR and it’s interesting to note the different reactions to the upcoming May 25th deadline. The level of fear is palpable in some organizations, while others have a more gung-ho attitude to the threat of possible fines. As a result of this wide range of attitudes, when we go into conversations as a team, we never really know what the real level of fear is until we are deep into the conversation.
This is one of the many reasons I hate FUD (fear, uncertainty, doubt) selling. It’s a poor way to sell. This is mainly because you can’t tell what the other person is thinking, and how to appeal to the very bases of what drives human decision making. Therefore, we adopted a methodology to uncover what is the biggest issue bothering people from business, from financial, operational and technical perspectives.
It seems that there is a unifying message.
In a phrase, customers “don’t know what they don’t know”. The 1st generation GDPR ‘solutions’ we have seen across the spectrum all rely on one element. You need to know where the personal data is, before using the solution. In essence, the 1st generations solutions are saying, ‘Tell us where the personal data is and we will…err…tell you where the personal data is”.
The challenge that unites every single organization we have spoken to is ‘Shadow IT’. Even if they were to catalog (which is quite difficult) personal data and special types of personal data today, they know that by the weekend it will be out of date. Therefore, if we, as a team, focus the conversation on GDPR fines, we are doing our customer, a disservice – by rubbing salt into a wound. Deep down, they know that unless they are able to discover personal data in a way that is 1) consistent, 2) scalable and 3) not heavily reliant on human input, they are doing things inefficiently and improperly. Additionally, as technologists and thought leaders, it is our responsibility to make the world a better place, by using the latest technology. Lastly, and perhaps most importantly, we are doing the data subject a disservice. GDPR is about the protection of their personal data – wherever it is. It’s not about checking a box.
So, if customers implement a solution that does not meet the three criteria above, are they still protected from GDPR regulatory requirements in the long term?
Who knows? But is it even relevant? We need to work towards a discovery system that actually helps us have better control over our personal data. Counter-intuitively, meeting this objective results in a win-win. What benefits the data subject will also benefit the organization if done properly.
With a proper discovery system in place, we can secure better control over how our data is being used. For example, we are able to hold marketing agencies and cold callers accountable. We expect organizations to have a system in place that can truly find our personal data and all copies (and sub-copies) of personal data. (Win 1)
My personal (non statistically valid) observation has been that in EMEA (Europe, Middle East, Africa), DPOs have been internalizing the message that GDPR is less about fines and more about the protection of the human right for privacy. It is seen as a corporate responsibility. So if they are going to implement a system to help discover how organizations are storing, processing and sharing personal data – they want to do it properly. (Win 2)
With regard to the United States – the jury is still out as to what is making the US market tick. It seems that for American organizations, GDPR raises the issue of risk vs. liability. They want to reduce the risk of the liability of holding personal data. The way to protect your business from this is by implementing the best system available. Furthermore, there is definitely a feeling of a resurgence of interest in the field of privacy. This is evidenced by senior security executives contemplating career development in privacy as opposed to core security. Privacy is surely becoming the next frontier in security risk and liability.
Given the fact that customers are most concerned about what they don’t know, especially the changes likely to occur in the future, we need to focus on a way to properly implement a system to help them discover this.
It’s all about Discovery (for the benefit of us the people). Discovery (for organizations seeking better corporate responsibility). Discovery (for organizations seeking to address risk vs. liability with regard to privacy). The rest is just salad dressing.