When is good, good enough? How to get a grip on data in a decentralised organisation.
Many of you might still remember the days where the only way of accessing the data of your organisation was through devices supplied by the organisation itself or through fixed workstations in the office. However, today more and more of this data actually resides in a ‘digital cloud’ and is accessed via an employee’s own device. Because it’s easy; shifting from on-premises platforms to cloud-based file-sharing. And in addition to just being easy, this approach offers a lot of benefits. By keeping data in a cloud, and off devices, an organisation limits the potential of a data breach in the scenario a device is lost or stolen. And when good access management is in place, access to data can easily be blocked. Additionally, it gives employees freedom. Freedom to use their devices in the way that they please. The enormous benefits of this kind of freedom would hardly be necessary to explain.
But it is exactly this on- and offline freedom that also poses some of the biggest problems and threats. Because with freedom comes a need for responsibility and understanding. Not only with regards to the actual protection of personal data within organisations, but also for the information (metadata) that is registered in privacy management software. And it is here that a significant problem presents itself, because where does the knowledge and understanding of data processing activities come from? In most cases, practical knowledge comes from the operational side of the organisation.
Where does it come from?
To access this knowledge, many privacy professionals still rely on face-to-face interviews and surveys with employees to discover what personal data an organisation collects and processes. It’s an intensive way to discover the ins and outs of an organisation’s data processing activities. Nonetheless, some privacy professionals prefer the method because it allows them to affirm information to be correct or not. Important information such as the purpose of collection. ‘It’s better than nothing,’ they say. But better than nothing is not the intended aim of the GDPR. People were, are, and always will be the measure of the metadata’s quality. Even with AI and automated decision-making. Not everybody understands the level of detail that a registry of processing activities ought to have. And even if they do; people make mistakes.
And so, taking into account that the quality of a registry of processing activities is as good as the quality of the data that is entered into it, one of the key questions and challenges becomes; how do I make a complete inventory of all the things an organisation is doing? The General Data Protection Regulation simply says;
‘each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility’ (GDPR, art. 30.1)
In other words; you need one, and there are seven requirements in keeping it. But it doesn't tell us how to keep it. Or, to put it even more simply: when is good, good enough?
So, when is good, good enough?
When you shift from trust to verification. So how you verify the data in your registry?
For example: Privacy management software has many similarities to accounting software. The obvious difference being – of course – that while accounting software focuses on the integrity of financial proceedings and the like, privacy management software focuses on integrity of data processing and the data subjects it affects. But there are striking similarities. For accounting software, the measurement of compliance depends on accurate accounting on an organisation and the assets it holds. In the same way, privacy management software requires accurate accounting of personal data in order to be both effective and measurable.
And much like in bookkeeping, you will need a ‘balance sheet’ as well as ‘profit and loss statement’. On the one hand you want to have knowledge about the systems where the data is stored, such as applications, databases or physical storage systems and the data that is stored in those systems. And on the other hand, you want to have knowledge about the processing activities that use this personal data. By recording both and comparing them, you can establish where data is stored, but not used.
Without properly accounting for personal data within your organisation, there is no auditability. And without auditability, it becomes increasingly problematic to demonstrate any form of compliance. Accountability needs to be data-driven for the GDPR to be useful. Based on records, not just a collection of recollections. Because it is quite hard to protect what you can’t find. Privacy management needs to be designed in such a way that it all adds up. To show you that if it doesn’t, you know something went wrong. To properly account for every digital process that requires collecting and processing of personal data, to provide proof that is based on actual data.
But solving this problem does not mean the be all end all of privacy management software. Because, even if auditing has been automated, and the data is based on actual data, there is still a large hurdle to take: How does privacy management software provide a meaningful and relevant experience to all its users? In the next article about the future evolution of privacy management software, we’ll tell you all about it!