With the lack of awareness around where data resides, not only is it hard for businesses, but also for consumers to have access to data portability.
The EU’s GDPR is a big change from how many businesses and organizations have approached data protection in the past, from how responsive the security teams have to be, to how clear and quickly they are able to tell where personal data is located. The biggest issue is personal data, this is where the trouble comes in.
With the May 25th deadline fast approaching, it is very likely that companies still have vast amounts of personal identifiable information (PII). This includes cookie data, device identifiers, and IP addresses. This can be stored on premises and in the cloud. So if the biggest issue is personal data, how do you define personal data?
Under article 4, personal data means “any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
With this in mind, the GDPR has introduced new concepts such as access requests (SARs), the right to be forgotten/right to deletion, and data portability, EU citizens now have a right to know what data is collected on them. That’s a concern for businesses when PII can be everywhere from email and social platforms to HR, HCM, and CRM systems.
In order to move forward you’ll need to set priorities.
First, set up a process to manage project risk and implement ‘secure by design’. Second, figure out which personal data you own, and run a discovery process of a core of key controls. Once this is figured out, you will be on your way to becoming compliant and not find yourself facing large fines.
Read more information on this matter and some more tips here.
Data portability is one of the top two most difficult obligations of the GDPR, yet we have made it easy. Find out more about how we can help here.