The challenges of building data inventories to scale

Organizations processing personal data are being required to take steps to comply with the widespread promulgation of breach notification laws and the enactment of sweeping privacy and data protection regulations such as the EU’s General Data Protection Regulation (GDPR).  Among the requirements these organizations need to comply with are enabling rights of access, portability, and deletion; managing and tracking consents; implementing robust incident response and notification measures; and mapping and legitimizing cross-border personal data transfers. Taken together, these and other data privacy requirements are clearly indicative of a growing organizational imperative to know what types of personal data the organization has, to whom the data belongs, with whom the data is shared and to whom it is disclosed, when and for what purposes the data is processed and where the data is transferred and stored (and these are just the highlights!).

As the GDPR effective date nears, many organizations are scrambling to inventory and to map their personal data assets in order to answer these and other questions about their personal data stocks. However, for organizations that create and process extraordinarily high volumes of personal data across multiple systems and locations, the process of discovering and inventorying all of the relevant aspects of the organization’s personal data stocks can seem insurmountable. These organizations are facing a seemingly intractable and unfortunately all too familiar problem: the problem of building personal data inventories to scale.

Until recently, the privacy tech market had been bereft of the type of data inventory and mapping solutions that organizations can adopt to effectively address the problem of scale. In the absence of these solutions, organizations have been forced to leverage manual and semi-automated solutions that simply cannot meet the scaling demands of large, complex and multinational organizations that create, collect, process and/or store large volumes and types of personal data.  The problem of scale for these organizations falls into two related sets of problems – complex and often messy IT environments and the vast amounts and types of personal data records that are processed and stored in that environment. Let’s briefly take a moment to unpack some of these problems.
Continue reading The challenges of building data inventories to scale

Thinking about adopting a paper compliance strategy? Think again

As the deadline to comply with the requirements of the EU’s new General Data Protection Regulation (GDPR) fast approaches, there are a growing number of companies who have in-house and/or external privacy counsel that are pushing a strategy of “paper compliance” to meet the voluminous requirements of the new regulation. Some advocates of this approach see paper compliance as a necessary stop-gap measure on the road to full compliance, i.e., paper and operational compliance. Others view paper compliance as the preferred currency of regulators and therefore as an adequate measure to protect the company from enforcement actions regardless of whether or not the company is operationally complaint with GDPR or other privacy and data protection regulations. Setting aside these and other motivations that inform a decision to pursue a strategy of paper compliance, it is important to note that there are significant compliance and accountability challenges companies should be aware of, and consider, prior to moving forward with this approach. In the remainder of this post we will briefly address each of these challenges to paper compliance.

Paper compliance is not operational compliance
Perhaps the most obvious challenge facing paper compliance is that while it can effectively codify principle-based data privacy laws into written policies, procedures, contract provisions, and workforce training materials (this is precisely what is meant by paper compliance), it clearly remains silent when it comes to the issue of operational compliance, which we can define as a company’s people, internal processing, and information systems and tools that operationalize the principles in the company’s various written policies, procedures and contracts.

Consider the following example: Company A has in place an external facing privacy notice that informs data subjects of their rights including the right to access, update, delete and restrict certain processing activities. Additionally, the company has documented internal policies and procedures that inform the workforce about what the company’s obligations are to data subjects and how to respond to and fulfill requests from data subjects. On paper, Company A certainly appears to be meeting its compliance obligations. However, lets also assume that Company A doesn’t possess the appropriate technologies or tools to meet its obligations to restrict certain processing activities or delete a data subject’s personal information, or, for that matter, even identify the systems in which a data subject’s personal information resides. In this case, paper compliance is akin to a house of cards. From afar, everything looks in order. In fact, any incident or complaint that would bring regulatory scrutiny could bring the house of cards tumbling down and along with it incur heavy fines and significant reputational harm.

Paper compliance is not a panacea for accountability
A related challenge to paper compliance revolves around the issue of accountability and its increasing importance in privacy regulations, including GDPR. Although accountability is one of those buzzwords that means different things in different contexts, for the purposes of this discussion we will define accountability as the organization’s compliance with their privacy obligations and the ability to verify that compliance. For advocates of paper compliance, the written policies, procedures, contract provisions and training materials can demonstrate and verify the company’s compliance with their privacy requirements. This is generally true of paper compliance proponents –regardless of whether they view it as a stop gap measure on the road to full compliance or whether they view it as sufficient to protect the company from a variety of risks including onerous enforcement actions. However, this view of paper compliance as tantamount to a company’s accountability obligations misses one very important aspect of accountability: Namely, while it is true that paper compliance can demonstrate to regulators (and customers) that the company has codified privacy principles and practices, this is not the same as adducing evidence that the company’s technical controls are operating in compliance with the companies privacy policies and procedures.
Real accountability must go beyond paper compliance/accountability to include a technical component that makes it possible for regulators to verify – via demonstrable evidence – that the company’s information systems and associated technical controls are processing personal information in accordance with the company’s documented privacy commitments. Many commentators have referred to our current era as the age of accountability. There is clearly a greater emphasis on accountability now than in recent times and companies that are unable to verify that they are in full compliance with their privacy commitments, there is significant risk of severe enforcement actions and reputational harm if they were to come under regulatory scrutiny.

Paper compliance? Proceed with caution!
Taken together, these compliance and accountability challenges call into question the efficacy of the paper compliance approach to protect companies from significant and potentially crippling risk. Paper compliance without operational compliance and real accountability is not just inherently partial compliance, it is, in a very real and consequential way, non-compliance.