Will your technology hamstring your GDPR compliance?
27/02/18 | by: Jack Blogg
Technology professionals sometimes bemoan their perceived role as compliance agents, but compliance can be very important. Take the forthcoming changes associated with the General Data Protection Regulation legislation, imminent and incoming from Europe. This is going to involve every public sector entity as well as private sector organisations and the penalties for non-compliance will be severe.
If your organisation handles data on any individual classified as a citizen of the EU, then GDPR will apply to you. Brexit won’t change a thing and the legislation will affect customers, contractors, agency staff, volunteers – essentially if you’re an entity that handles information on people, you have to comply. This will mean cataloguing exactly how you handle the data you have on individuals, providing citizens with all the data you have on them on request and watching out for data privacy settings in any new system or device you deploy.
Public sector bodies will have a few headaches around the legislation. This is particularly pertinent as many local authorities in particular move to a shared services model, but nobody is exempt. The difficulties include the fact that data has been held, long term, on citizens across disparate systems. There are data siloes in every public sector body and the digital footprint left by all of these needs to be included in any search. Also when a citizen asks for the data being held on them, the law will say that this covers absolutely all the data; pretty much everything, or “the vast majority”, won’t do.
Consent is also going to be important in terms of what’s done with the data; a quick tick-box won’t be enough, and that’s before we get into the right to be forgotten.
It’s going to be a substantial task. You could argue that all it boils down to is good data governance but that view risks underestimating the scale of the job. According to IDC, there will be 180 zettabytes of data by 2025. At the moment virtually nobody knows what a zettabyte is (it’s actually 1,000,000,000,000,000,000,000 bytes and yes of course we had to look that up).
The good news is that some 76% of public sector organisations have reported that they are all but ready for it. Everyone’s idea of “ready” will be different but we’d suggest there needs to be a stage of discovery/audit of all information held, including senior sponsorship at management level, a look at staff and potential partners, followed by the modelling of the data landscape risk scoring approaches and analyses of data proliferation both inside and outside an agency. That should offer a reasonable rough framework.
Help is available. It’s not reasonable to expect organisations to work on something this substantial in isolation. Most IT professionals will already have outsourced the majority of their IT to third parties; ensuring that GDPR is included at all levels and that the partner has the right expertise and experience to share cost-effectively will mark one of the strongest possible starts.
GDPR is due to hit in May 2018. Brexit is due to introduce grey areas ten months later, but in the meantime the penalties for non-compliance run into millions. Public sector organisations are already short enough of resources; it’s imperative to find a partner capable of ensuring compliance from day one.
Comments are turned off for this article.