With the GDPR compliance deadline of May 25, 2018, just around the corner, I wanted to explore the responses to a few questions posed during a recent interview with Jarno Vanto, Shareholder at Polsinelli. In this next blog series focused on GDPR, I wanted to share some practical implementation guidelines.
The first question Jarno was asked was “What does the regulator expect organizations to achieve by May 2018?” Jarno’s response was clear: “That organizations have identified and mapped the personal data they process, built the processes required by the GDPR, such as those relating to data protection impact assessments and data subject rights, and included all GDPR-required elements into their legal documentation such as privacy policies and vendor agreements”. Let’s take the first part of the response: “organization have identified and mapped personal data they process”. Now, let’s just focus on “identified and mapped … personal data”. Relevant GDPR references include: 1) Article 2 – Material Scope, note recitals: 14 – 21; and, 2) Article 4 – Definitions, note recitals: 26 – 37.
The only way to effectively and efficiently “identify” and “map” such data is to automate the process. This activity is often performed as part of a Data Protection Impact Assessment (“DPIA”), another GDPR requirement (Article 35). A DPIA is the basis for demonstrating GDPR compliance; hence it must be a well-engineered process that can be repeated consistently over time. For many organizations, conducting an initial assessment across multitudinous platforms alone is a difficult task. Sophisticated scanners that can quickly examine different vendor databases and file types are essential. In addition, content, format, range of values, and data types must be rapidly compared for similarities, differences, and compliance with data management and data security policies. The results must be document, analyzed, and communicated to a broad, diverse audience. Informatica’s Enterprise Data Catalog (“EDC”) is a good example of one vendor implementation of a wide range of pre-built scanners for GDPR. Informatica’s EDC can make what could be daunting task simpler by combining forensic-like data analysis and artificial intelligence to derive insight on potential data anomalies and their risk to the organization.
DPIA is definitely not a pencil and paper exercise. The working committee for Article 29 which addresses the processing of subject data has developed several criteria to consider when conducting a DPIA. The latest version can be found here. In the next blog, we’ll explore more details on how to actually perform a DPIA.
—————————-
Mr. Mohit “Mo” Sahgal is the VP of Analytics of Paradigm Technology. He is an accomplished Senior Executive with decades of management consulting expertise. Mo has held various leadership positions including Senior Executive at Accenture, Partner at IBM, Partner at Capco, and Executive Director at Ernst & Young LLP. Mr. Sahgal LinkedIn profile can be found here.
Paradigm Technology is a strategic consulting company, a leader in Digital Transformation working for 25 years with the Fortune 500 serving the utilities, banking, airline, manufacturing and high-tech verticals. We enable our clients in: Customer Centricity (MDM, PIM), Data Governance (Axon, EDC, IDQ), Real-time Analytics, and Cloud Adoption (BDM, Relate360, IDL). Our Data Scientists help make sense of IoT and Big Data to predict and answer the hard questions to grow revenue, reduce costs and avoid risk. Paradigm’s Business Transformation practice supports this through IT simplification, change management and robotic automation.Paradigm is ready to support you in your business journey. For more information about Paradigm Technology, email [email protected] or visit us at www.pt-corp.com.