A few months ago, we were moving to a new house. That meant, of course, that we needed to empty everything out of the old house. The basement, the loft, the garage, the summer house. Everything. Although that sounded daunting, it also gave us the opportunity to clean up, catalogue what we had and get rid of items we no longer needed, as well as store things more sensibly. For example, as it was summer, we wanted to ensure that the parasol base was with the parasol, and accessible, but put away the warm gloves and winter hats. To get everything done before moving day required a lot of effort, but it made the move so much easier. It’s also much simpler to find the parasol now, without the winter stuff getting in our way.
Moving to GDPR
Just as moving to a new house is a great opportunity to clean up your belongings, so preparing for the GDPR is a perfect opportunity to clean up your data, catalogue what you have and erase anything redundant. It also provides a chance to ensure that you know where any sensitive personal data is stored and secure it appropriately. You might, for example, separate personal data and the other less sensitive data into categories and have different rules and procedures on handling them. It is a bit like choosing the right packing materials for all your belongings for the house move.
Preparing for #GDPR is a perfect opportunity to make a catalogue of what we have and to erase redundant data. Click To TweetYou may now be thinking: “Ok, but how do I separate generic data and personal data?” The first step typically involves an assessment of your data catalogues. For example, you may have a CRM database that contains some tables with columns like: customer_id, name, address, phone, email. These are all examples of personal data, since they make it possible to identify an individual person. Information like customers’ passport numbers or driver’s license number are critical personal data because they unequivocally identify that person. These need a higher risk rating than names, since there are typically dozens of people with the same name, but only one with that passport number.
Draw the line
What about less obvious data, such as addresses? Knowing an address does not immediately identify that person. Combined with other information, however, it could be a different story. A seemingly innocent piece of data can also enable identification when the dataset is small enough. In a town of a few hundred people, even just knowing someone has a permanent medical condition may make it possible to identify them.
Assessing data at this level of detail could take a long time, however. It may be simpler to draw the line rather too high than too low. In other words, put together the obviously critical items and those that could easily allow for identification. Some organizations that hold a lot of customer data have decided that the simplest option is to label ALL their data as personal data. And who is to say that they are wrong?
It is up to organizations themselves to define their data. Another approach we have seen is to split customer data into two separate databases, one classified as critical or sensitive and rest generic. All employees have access to the generic one, but access to the critical/sensitive data requires membership of certain groups (e.g. trained analysts). Surrogate keys can be used as identifiers, until the data is actually required by someone specific, for example, to contact this customer.
A question of risk
At root, this is all about managing risk and the principles are quite simple. The hard part is living with your data protection principles without crippling your business by over-doing the requirements. You probably won’t get the balance quite right on the first iteration, but then every (relocation) journey has to start somewhere.
The hard part is living with your data protection principles without crippling your business #GDPR Click To TweetWe started this article talking about something that happened at the start of summer. Autumn is now here again, and May 2018 is another few months closer. It is probably time you gave some thought to your approach to GDPR, so have a look at how SAS can help you. It’s all there under this link:
https://www.sas.com/en_us/solutions/personal-data-protection.html
This blog post was co-authored by Kristoffer Nilsson, Mikael Sperling and Jarno Lindqvist.