Leveraging data discovery, classification and reporting capabilities for principles alignment and compliance
The General Data Protection Regulation (GDPR) is one of the most well-known (and feared) data privacy and security laws on the planet. The regulation was introduced in 2016 and provided companies with a two year runway before coming into effect in 2018. If you ’re unfamiliar with the details, GDPR is designed to protect the data privacy of EU citizens through regulations aimed at companies who collect and/or process EU citizen data – regardless of what country they operate in. The United States, on the other hand, follows a data privacy approach that is guided by various state laws and sector-specific privacy laws
GDPR reigns supreme for its scope, scale and non-compliance fees. A violation, or non-compliance can cost companies 10M Euros or 2% of their annual revenue – whichever is higher. For most companies, getting slapped with a GDPR fine could be business-ending. Consider fines charged to some of the world’s largest corporations, as tracked by SLA Piper: between January 2020 and January 2021, GDPR fines rose 40% and totalled $191.5M USD. The highest went to Google ($56.6M USD), H&M ($41M USD), TIM ($31.5M USD), British Airways ($26M USD) and Marriott ($23.8M USD). According to the report 121,165 data breach notifications were logged in that same time period.
Data privacy is priority
Sensitive data is everywhere and too often controls and measures designed to guard data are overlooked. GDPR was born of the idea that individuals need access to and control over how their sensitive data is gathered and shared, while companies need greater accountability for their role in the collection and processing of personal information.
Other governments and industry regulators are turning to GDPR as a model for guidelines and compliance requirements that represent their industries, citizens and businesses. While most can identity GDPR at a high level, many have a harder time describing specific requirements. A GDPR small business survey in 2019 found that even after a two year preparation window and one year of active enforcement, many businesses were investing time and attention into compliance, but an equal number had avoided GDPR all together.
Understanding GDPR requirements starts with understanding its seven data protection principles. We’re biased toward data discovery and classification and its support of overall data privacy and protection – so, we’re highlighting the principles that relate specifically to data discovery, classification and reporting here:
- Lawfulness, fairness and transparency – processing must be lawful, fair, and transparent to the data subject.
- Purpose limitation – you must process data for the legitimate purposes specified explicitly to the data subject when you collect it.
- Data minimization – you should collect and process only as much data as absolution necessary for the purposes specified.
- Accuracy – you must keep personal data accurate and up to date.
- Storage limitation – you may only store personally identifying data for as long as necessary for the specified purpose.
- Integrity and confidentiality – processing must be done in such a way as to ensure appropriate security, integrity and confidentiality (e.g., by using encryption).
- Accountability – the data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
It’s not surprising that all but one of the guiding principles lean on data discovery, classification and reporting. That observation aligns to specific requirements within GDPR, too. We’ve scoured its 88 pages and 99 articles to identity key requirements that point to data discovery and classification – here’s the list:
GDPR Requirement: Personal Data Inventory
Create and maintain a list of personal data that is collected, used, transferred, stored, processed, and created. Includes the data element, as well as the systems and applications that interact with the data.
Where's it covered: Art 4, Art 5.2, Art 9
GDPR Requirement: Data Classification
Data must be classified according to the category and sensitivity as defined by appropriate statutory, regulatory and contractual contexts.
Where's it covered: Art 4, Art 9
The requirements below are made simpler to achieve when personal data is inventoried and classified
GDP Requirement: Data Flow Mapping
Maintain a record of processing activities that documents the flow of personal data. Make sure the record includes:
- Geographic locations and third-parties involved in the storage, transmission and/or processing of personal data
- Contact details of the controller(s) involved in the storage, transmission and/or processing of personal data
- The purposes for data storage, transmission and processing
- A description of the categories of data subjects and personal data
- The time limits for erasure of the different categories of data (where possible)
- A description of the cybersecurity and privacy measures of the data controller (where possible)
Where's it covered: Art 30.1, Art 30.2, Art 30.3, Art 30.4, Art 30.5
GDPR Requirement: Limited Collection and Use
Limit the collection, use, distribution, retention, disclosure and creation of personal data to what is minimally required, reasonably necessary and has legal basis.
Where's it covered: Art 5.1
GDPR Requirement: Data Minimization
Take steps to minimize the collection, use, distribution, retention, disclosure and creation of personal data to what is directly relevant and necessary to accomplish a legally authorized purpose.
Where's it covered: Art 5.1, Art 35.1, Art 35.2, Art 35.3, Art 35.6, Art 35.8, Art 35.9, Art 35.11
GDPR Requirement: Data Lifecycle Management
Create the processes and policies around the entirety of the data lifecycle from creation and collection, to storage and destruction.
Where's it covered: Art 5.1, Art 18.1, Art 18.2, Art 21.1, Art 21.2, Art 21.3, Art 32.1, Art 32.2
GDPR Requirement: Retention of Personal Data
Ensure that all records containing personal data are maintained in accordance with the organization's records retention schedule and comply with applicable statutory, regulatory and contractual obligations.
Where's it covered: Art 5.1
GDPR Requirement: Quality Management
Maintain quality assurances throughout the information lifecycle with such accuracy, relevance, timeliness and completeness as is reasonably necessary to ensure fairness to the individual.
Where's it covered: Art 5.1, Art 21.5, Art 22
GDPR Requirement: Data Subject Rights
Provide individuals with appropriate access to their personal data.
Where's it covered: Art 12.1, Art 12.2, Art 13.2, Art 14.2, Art 15.1, Art 15.2, Art 15.3, Art 15.4, Art 16, Art 26.3
GDPR Requirement: Inquiry Management
Maintain a capability to receive and respond to privacy-related requests, complaints, concerns or questions from individuals.
Where's it covered: Art 18.1, Art 18.2, Art 18.3, Art 19, Art 21.1, Art 21.6. Art 22, Art 26.3
GDPR Requirement: Updating Personal Data
Provide individuals with appropriate opportunity to correct or amend their personal data.
Where's it covered: Art 5.1
GDPR Requirement: Right to Erasure
Provide individuals with appropriate opportunity to request the deletion of personal data where it is used, disseminated, maintained, retained and/or disclosed, including where the personal data is stored or processed by third-parties.
Where's it covered: Art 17.1, Art 17.2, Art 17.3
Data privacy and data protection has never been more important and the same goes for the regulations and frameworks that hold businesses to a higher standard. Ensuring your business has data discovery, classification and reporting capabilities not only helps your business scale with evolving requirements, but it’ll put you in a better position for compliance, too.