GDPR: Understanding and actioning your data
We’ve been writing a series of blogs to help you understand some of the steps you need to take in order to comply with GDPR, from unearthing all of your data to securing it sufficiently. Read our security-focused blogs, or take a look at our blog on the first part of your journey, ‘discovering your data’.
Once you’ve found all of your data, hidden in the nooks and crannies of your IT environment, you need to understand it. But what does that mean?
There are a number of questions you need to ask of your data. What kind of data do you hold; is it personal? Can it be used to identify someone? If so, you’ve got Personally Identifiable Information (PII), and that’s the data that’s really important to GDPR. If you’ve taken part in the discovery phase of your GDPR journey, you should know the answer to that, as well as knowing the volume of PII you hold.
TSG, TermSet and Qlik Sense have teamed up to create a powerful PII Discovery tool that will locate any PII that you hold across your IT infrastructure. You can find out more about that and register for a free trial on our dedicated GDPR section of the website. This tool will help you answer the first question about your data.
Next, you need to understand why you are holding this data. Under GDPR, you need to be able to prove that you have “lawful basis” (i.e. a good reason) to hold, process and use all of the PII you hold. Most businesses will require employee and customer data; for example, to process payroll, to contact customers or to receive customer payments. When GDPR comes into effect, you must prove this is a legitimate reason to hold PII. Additional considerations are required if you’ve obtained this data via a third party.
Intrinsically tied into this requirement for a lawful basis is the need for explicit, recorded consent; it will be unlawful to process any PII data without the permission of the subject. It’s likely that many businesses will have to undertake an opt-in exercise whereby they obtain consent from customers and employees to continue processing their data. Most businesses will have opted-in databases already, but it can be hard to prove if it was given a long time ago, or informally. Opted-in consent is an additional factor businesses must be able to prove to the Information Commissioner’s Office (ICO).
It’s also important to understand who has access to your data and why. By auditing and discovering your data with an exercise involving TSG’s PII Discovery tool, you’ll easily be able to find out who has access to what. You might then need to undertake an exercise to restrict access to data. For example, it’s likely that your finance, marketing and sales departments will have, and require, access to customer data. Your HR team will likewise need access to staff data, both current and ex-employees; but it’s unlikely HR will need access to customer data, and vice versa.
To find out more about understanding your data, what actions you need to take on it and how you can set yourself up to comply with GDPR long-term, you can attend our GDPR & Technology event in Newcastle and Manchester and talk to experts from TSG and Evolve North. Alternatively, if you can’t make our events, we’re holding webinars on ‘discovering’ and managing your data.