digital key

This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

Many corporations around the globe are preparing for May 2018, when Europe's General Data Protection Regulation (GDPR) enforcement kicks in. The regulation encompasses a wide range of nuanced privacy requirements that can be challenging to operationalize. In particular, requirements around the rights of European data subjects—which include the right to be forgotten and rights to access, rectification and objection to processing—will be some of the most difficult to address.

The GDPR states that individuals should have the right to access their personal data so that they are aware of and can verify the lawfulness of its processing. Requests must be responded to promptly, within one month, leaving companies very little time to perform a task that they may not be equipped to handle. The right to be forgotten provision presents similar challenges, giving EU citizens the option to require erasure of their personal information. No barrier exists for citizens to enact these rights, and some countries are planning campaigns to educate the public on them in the coming year. The most operationally complex new data subject rights are:

  • Right of Access: EU residents may at any time obtain access to their personal data (what it is, where it is stored and how it is processed) from any entity that houses this information.
  • Right to be Forgotten/Right of Erasure: Individuals covered by the GDPR, may at any time require an organization that stores their personal data to dispose and erase their personal data from any and all information sources.
  • Right of Data Portability: Data subjects may require an organization to transmit their personal data directly from one controller to another, requiring a company to securely migrate everything containing information on a subject to another provider when processing was based on consent or a contract.
  • Right to Restrict Processing: Individuals have a right to “block” or suppress processing of personal data. When processing is restricted, an organization may store the user's personal data, but not further process it and may retain just enough information to ensure that the restriction is respected in the future. Individuals also have a right to not be subject to automated processing or profiling.

Examining what the invocation of a data subject's rights would look like in reality can underscore the importance of this issue. Take the hypothetical example of a medium-sized life insurance company that insures one million customers and must fulfill an average of one data subject access request per insured once every 2,000 years. This conservative estimate equals .05 percent of one million—or 50,000 requests—per year. Boiling that 50,000 down to the day equals 200 requests per day, or 25 requests per hour for a standard eight-hour work day. Consider the dedicated staff and resources that may be needed to handle such a burden. Organizations in banking, insurance, retail and other industries that involve large volumes of private customer data should realistically prepare for volumes higher than conservative estimates.

Some organizations are responding with manpower—hiring additional staff to churn through incoming requests. Yet, extra resources may not fully mitigate the inherent risks that come with thoroughly and comprehensively fulfilling requests, controlling data leakage or enabling the right to be forgotten. In an already challenging data landscape, where most organizations deal with high volumes of data in many locations, disparate tools, lack of holistic information governance (IG) and a lack of standardized guidelines for GDPR readiness, it's easy to feel overwhelmed and underprepared.

There are steps organizations can take to improve their ability to manage rights of data subjects. In some ways, these types of requests resemble responding to discovery requests: they focus on specific data for specific people, involve collection and review of sensitive data, and can benefit from the use of technology to identify and organize relevant information. The difference is that while some corporations rely heavily on outside counsel to field their e-discovery needs, doing so will not be scalable or cost-effective for fielding subject access requests.

Below are five smart steps IT, legal and compliance teams can take now to prepare.

1. Map the Data

Understanding what European personal data exists within the organization, its collection purpose, and where it resides is central to any initiative that requires gathering of information across systems. Many data incidents result when a company's house is not in order. Meeting the requirements of GDPR's data subject rights will be impossible without a clear understanding of the landscape. Often, companies begin their efforts with mapping externally-facing locations and processes where customer information is collected (i.e., websites where customers register and input names, addresses, emails, payment information, birthdates, etc.). Some efforts may require remediation of orphan or ungoverned data, prioritized by risk. Unstructured data especially is often a challenge for large global organizations. File analysis and content classification tools can help index content in place. With this outlined, it is possible to identify the various sources of information that may be subject to a GDPR request.

2. Get Organized

Reducing the number of interfaces and sources where data is generated and stored can make an important impact in organizing the data universe and keeping it manageable for timely responses to data requests. Unified storage that provides a single point of access to the entire data universe is one option, but companies that do not have the ability to take this approach can still simplify their data landscape by consolidating their tools and decommissioning legacy applications.

3. Eliminate the Noise

It is reasonable to expect that a number of requests will not be actionable, and a decision process should be in place for cutting down the clutter. Determining which requests require a response and which do not should be based on processes and metrics built around the data map, so it is possible to easily identify whether the request is coming from an existing client, employee, potential litigant, former client, or someone that is not associated with the company at all. In some cases, technology can help with managing the process, identification and documentation for responding to customers.

4. Establish Process

Work with legal counsel to define and establish processes around how inquiries will be responded to, including how to authenticate the identities of individuals making requests. These efforts can be leveraged as part of a broader business initiative to better govern the corporation's data — benefits can extend far beyond GDPR, by strengthening the corporation's cybersecurity, legal and compliance stance, and improving customer service. Established processes and technology that support them will drive workflows around what needs to be done after data is identified and how to determine what can be turned over versus what needs to be retained or disposed of. Overall, this is a complex and evolving issue, and one that should be treated strategically and proactively with help from experts that understand the many facets involved with GDPR.

5. Train and Maintain

External-facing staff must be trained to deal with incoming requests, respond to them appropriately, scale when volumes surge, and stick to the existing workflows. Systems must be regularly tested and audited for privacy, including how data is searched, deleted or mitigated, and results of audits must be saved as evidence in the event of an investigation for non-compliance. Functions for ongoing enforcement and compliance tracking should be built in, and staff must be an ongoing part of keeping processes on track. These efforts are not uncommon for organizations in banking, insurance, pharmaceuticals and other industries that are already highly regulated, but it will also require a significant mindset shift for those that are not accustomed to these requirements but likely to be hit by GDPR requests (i.e., retail).

While some of these rights have already been in place in Europe for some time, GDPR is enhancing the requirements and making it much easier for citizens to exercise data rights. This legislation is one of the strongest data privacy regulations we've seen to date, and companies will need to take a variety of actions to comply. Setting up a program to address data subject rights is one important, proactive step to help streamline overall GDPR compliance.

Sonia Cheng is a senior director at FTI Consulting where she leads Information Governance initiatives for FTI's Technology practice group, helping corporations deal with the challenges associated exploding data volumes and complying with complex global regulations. Eckhard Herych is a German-based consultant with Halfmann Goetsch Partners. His focus is in the health care sector and pharmaceutical industry with an emphasis on project management, risk compliance, validation, records information management (RIM), and data privacy. Richard “MAC” MacDonald is the SE director for EMEA at ZL Technologies, and has been in the Information Governance field for more than 10 years, involved with the largest banks and investment houses in the world.