Now that GDPR is here and CCPA is in the pipeline — how ready are you to deal with Data Subject Access Requests? For instance, let's say one of your employees in the EU asks you to delete their personal data. Or, maybe a Californian resident in the US asks what personal information you're collecting about them and who are you sharing it with?
Are you prepared to handle this kind of Data Subject Access Request? Do you know where all your data lives and what all the legal requirements are for processing, protecting and storing customer or employee data under GDPR and CCPA?
It's not easy to track, maintain and monitor all of these details — especially when the amount of data you collect is already massive and continuing to grow, often in the hundreds to thousands worth of terabytes. Secondly, that data is often contained in multiple storage platforms, or offline in filing cabinets in different countries (if you're a multinational organization that is) and in various file times. It's also very difficult to understand the context and reasoning for each file if they are scattered inside multiple repositories for different uses.
The truth is, most companies are going to have trouble pulling that kind of information together. In fact, one might say that cross-silo data management is one of the biggest challenges facing Data Privacy Officers, Chief Information Security Officers, Data Governance leaders and HR officers today.
6 Common Challenges for Locating, Storing and Sharing Data under GDPR
Do you know what documents to protect?
How do you adequately protect these documents?
Can you prove you have processed the data in a responsible way and have legitimate purpose or consent to hold the document?
If something goes wrong, how do you know what data has been lost or stolen?
How do you track retention periods? Personal data cannot be kept longer than necessary or must be removed after a legitimate demand to be forgotten.
Have you shared the documents with another party? How will you know who you have shared the document with and for what legitimate reason? And how do you inform the 3rd party of a request to be forgotten?
Solutions for Managing Unstructured Data Across Multiple Jurisdictions
To comply with GDPR and other privacy laws such as CCPA, it's imperative your organization or Privacy team can answer all the above questions in a timely manner, especially when it comes to processing and storing sensitive employee data.
Having an up-to-date data inventory, coupled with a strong data governance strategy, is a good first step to respond to Data Subject Access Requests. But, where most organizations get into trouble, is operationalizing their data map and data governance policies. Of course, you could stick to spreadsheets and legacy systems, and manually search and find the all the data across on-premise and off-premise locations. But this takes valuable time (and patience!), multiple stakeholder coordination and will likely provide inaccurate, error-prone or incomplete information. Then, there's the question of ongoing maintenance. For these reasons and more, it's a good idea to seek a software solution that allows you to automatically and systematically manage all of your data processing activities across multiple jurisdictions, storage containers (structured and unstructured) and data silos.
This is where Feroot's Privacy Operations Platform can help. Our highly flexible and granular privacy platform allows you to easily maintain an up-to-date data inventory (or data registry ) and manage associated permissions, contracts and processing consent across all data silos, platforms and jurisdictions. It's a dream come true for many Data Privacy Officers and a simple tool that will help you maintain privacy compliance and quickly respond to Data Subject Access Requests. If you want to see our solution in action, feel free to reach out to our privacy experts to set up a quick demo. It’s the best way to see how you can begin operationalizing privacy today!
About Feroot Privacy
Feroot is a Privacy Operations Platform that transforms your static data map into a dynamic data registry, so you can automatically manage data across all departments, track consent across third-party vendors and quickly respond to Subject Access Requests.