The time has finally arrived: May 25 has passed and the EU’s General Data Protection Regulation (GDPR) has gone into effect. By now, you've likely slogged through a tsunami of emails alerting you about the changes to corporate privacy policies. Many companies have been applying what appear to be cosmetic changes to their privacy policies – yet there are deeper implications about the underlying data management impacts.
It's a process: Enforcing data protection rights under GDPR
It's a process than must scan all corporate data assets, identify whether there is personal data within the data asset, and maintain an index linking an individual’s virtual identity to all the data assets containing that individual’s personal data. In essence, those data assets must be analyzed to determine how the data asset is used, who has access to the data asset, what types of data values are stored and what types of personal data are included. However, determining that a data asset contains personal data sets the stage for additional evaluation of data sensitivity:
- How many records (or objects) in the data asset contain personal data?
- What is the level of sensitivity (i.e., is it name and address information, is it protected health information, or is it personal financial information)?
Finally, in addition to documenting which data assets contain which individual’s personal data, there must also be an inventory of how that personal data is being used. GDPR requires that your company disclose how personal data is used. But under certain circumstances, it allows the company to reserve the right to use or share personal data (for example, if required by law, or to protect the safety of others). These uses are acceptable, even if the individual has requested a restriction on processing and sharing.
More concretely, there are technical demands for GDPR compliance: data profiling, taxonomies for data sensitivity, data asset cataloging, data use policy management, identity resolution, inverted entity indexes, as well as master data management. These are all needed to: uniquely identify any individual for whom personal data is managed; find all the data assets in the enterprise (and potentially shared with data processors) that contain that individual’s personal data; and then document and apply the individual’s directives regarding personal data use.