GDPR has been a topic of conversation in the security risk and management world since the regulatory action was proposed in 2012. Recent events have led to a greater interest in GDPR as a means to protect personal identity data, especially as the regulation will be put into effect on May 25.
With the regulation date quickly approaching, GDPR is having its moment in the public discourse. However, those who work to protect Identity data have been fretting about the critical components of the regulations for some time. Specifically, the “Article 30 Record-Keeping Requirement,” aims to provide evidentiary proof for how a company processes their personal data. The challenge for organizations in documenting their data processing activities is how do you do that in a data-driven way.
Article 30 record keeping using actual data records
Article 30 of GDPR states, “Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.” That means that processors and controllers of any personal data must undertake labor-intensive record-keeping of all identity data processing activity.
The goal of Article 30 is noble. Making organizations track and share unambiguous records of how citizens’ personal data is processed. Starting in May, personal data processors and controllers will be obligated to maintain up-to-date and accurate records of identity data processing activity. Regulators will be able to request proof of compliance on demand from these organizations. If found not to comply, companies will be levied hefty fines up to 4% of their global annual revenue.
But there is some ambiguity about where the knowledge of the data being processed originates. If requested, organizations will be asked to share all the processing activities under its responsibility in electronic form. This is what is causing heart palpitations for CTOs and CSOs across Europe and those American organizations operating in the EU. Article 30 requires true records of data processing in order to be both effective and measurable. This is also necessary to make sure the entire regulatory undertaking is fair and credible.
The means of collecting and maintaining records of data processing have not advanced much over the past few decades as digital data collection has become prolific. Many organizations rely on individual surveys that are often incomplete, inaccurate or both. The question, therefore, is whether ID processing activity compliance is best achieved manually, based on surveys, or through automated discovery, classification, and data-source profiling processes. It’s the age-old question: can you build accurate records of your data processing if you don’t have awareness of your data records?
Records v. recollections
The knowledge collected and shared needs to be the accurate accounting of actual data collection and processing, which is what makes the current solution of surveys or questionnaires so troublesome. People struggle to recall what they had for breakfast a day or two ago, where they placed their car keys the night before, or the names of people they were in a meeting with fifteen minutes prior. And yet, organizations expect to get accurate accounts on the various bits of identity data shared through paper surveys and questionnaires – a time-consuming, costly, and easily invalidated process. Recollections are not records. How can one verify compliance in this manner?
Financial regulations in the European Union are a perfect analogy for GDPR. After the 2007 banking crisis, the Basel Committee on Banking Supervision put together a regulatory framework, called Basel III, focused on the integrity of financial transactions and affected institutions. With GDPR, identity data records are analogous to the financial transaction tracking of Basel III. The focus with GDPR is on the integrity of ID processing and the affected data subjects.
Like any financial regulation whose measurement of compliance depends on accurate accounting, GDPR requires the accurate accounting of data to be both effective and measurable. For Basel III, the reporting standard is known as the “Pillar 3 disclosure requirements.” This financial compliance framework introduces a dashboard for banks to share key prudential metrics for all Basel III reforms. The difference between the Pillar 3 requirements and all the reforms to the Basel framework is that financial data is a constantly-tracked ledger, and measuring compliance is accurate and easy. It is fitting that in the Information Age, data is the new currency of commerce and communication. And yet, accurately tracking identity data collection processing is not done similarly to the banks’ process.
For a data protection regulation like GDPR to work, verification of compliance with the regulations needs to be data-driven. After all, you can’t protect what you can’t find. Organizations should be able to not only accurately find all personal data belonging to an individual, but also have data mapping that can record data flows based on actual identity data processing.
Automate GDPR Article 30 record keeping for compliance and transparency
Organizations can build and maintain data processing records which reflect real data records using the latest in machine learning, and not just paper questionnaires. This will eliminate some of the biggest issues with human data accounting including real-time accuracy of data knowledge, ability to monitor changes in the data, and the elimination of costs and business disruptions caused by using surveys and data as opposed to actual discovered data.
Article 30 will require organizations to capture data lineage and flows to meet modern data processing record keeping – rather than hope that a theoretical view of data processing activities derived from surveys is accurate and up to date.
Using machine learning to automate the building and maintenance of data flow maps from actual live data will allow companies to effectively visualize, annotate, and describe the steps of data processing and data subjects. An accurate data flow map should serve as a current and detailed representation of how data is captured, processed, stored and disposed of in the course of a business process. Accuracy is exactly what GDPR Article 30 seeks for organizations to provide for every digital process requiring collection and processing of personal identity data.
This is best done through real and verifiable data inventories, visualized data maps and flows, tracking of purpose-of-use and consents, and continuous, real-time compliance tracking.
Without this comprehensive, current, and identity-centric accounting of the data organizations process, — and how that data is processed in the context of both business processes and GDPR policies — maintaining transparent, real identity data privacy and protection accountability is an elusive goal.
GDPR asks companies to safeguard the information of their data subjects. Article 30 asks organizations to provide proof that data collection and processing of personal data is properly recorded. To make the system truly accountable to both regulators and individuals the accounting of ID processing needs to be based on real, true data, and not just recalled, data records.