The GDPR forces us to look at our data, categorise it as personal, personally identifiable and everything else (keeping in mind that what was once impersonal can become personally identifiable in association), but often we don't question why we collect and store this information. It is already part of existing Data Protection legislation that only data that is necessary should be collected and then kept only for as long as it is necessary, Rarely do we consider whether data or metadata is useful in itself once we add it into our model and data stores. Often we start collecting it for some future use which is neither clear, decided or planned; and once we have it we keep it because its data and must be valuable.
For service companies that provide data processing services, whether SaaS or not the focus on control over the management and processing of personal data in all its forms gives pause for thought. It's true that any company that handles European data specifically will have tidied their data protection statements, identified where their data is and how its access is controlled and might even be able to provide the greater detail on subject access requests in a timely manner. Data sharing though between two Data Controllers is problematic so perhaps its worth looking at it another way.
There's somehow a feeling that GDPR changes what should be done about Personal and Personally Identifying Data that we need not do now. But that isn't really true, For instance, EU citizens have had the right to be forgotten since 2014 after the ECJ decision relating to a Spanish case in 2010. What is happening is that the standards of a complaint, audit and penalty have changed and of course its the penalty which is the real motivator to improve systems. Removing an individual's data from a live system can be painful but perhaps not hard, removing it from archived data looks like it will be expensive, and hard. Apart from other regulatory reasons for keeping data does it mean we have to read and rewrite all archives every time someone asks for their data to be removed? Are we forced to make archived data live to keep it updated?
In the preparation for GDPR and the UK refresh of the Data Protection Act it seems that some organisations, especially government departments and public bodies are asking some very awkward questions.
- Assurances, pledges, loyalty oaths that an organisation is 'GDPR' ready.
- Copies of the organisation's policies and procedures relating to GDPR