Tip #6/10 – the ‘unknown/unknowns’ – the new EU Data Protection Regulation (GDPR)

Is this question haunting your thoughts?

Where is personal data being collected and processed -in my organization- which I am unaware of”?

Do you really care? Well it depends on whether you are responsible for the collection and processing of personal data in your organization?

The fact is the ‘known/knowns’ as I call them, is personal data which is known and is documented. This means that I have a collection point, I’ve matched to a Purpose and defined the Accountability boundaries. I’ve aligned the Use with the Purpose and documented the PDLC (personal data lifecycle). I have assessed ‘problematic data actions’ that could present a ‘risk of harm’ to the data subject, and finally I have done a compliance check against the ISO29100 standard into which I’ve mapped the GDPR. The icing on the cake is the Privacy by Design assessment. If all of this is complete, then I label it GREEN in the heat-map that is sitting at the Privacy Program level.

Then there is the ‘known/unknowns’. This is personal data which is known but undocumented, and I label these YELLOW. Now if category of personal data contains sensitive data then it gets a RED label. This gives prioritization on actions. If personal data cannot be matched to a Purpose then its data collection point should be removed, and any historic data assessed for best methods on safe destruction.

Now we get to the ‘unknown/unknowns’. Personal data that is being collected and processed by employees, and they may not be aware of it themselves!  Some examples that I’ve come across are: cvs of potential employees in Word and pdf format received by email and saved to the PC of the recruiting manager; lists of sales contacts in an Excel spreadsheet kept on the PC of the sales executive; analysis of test results on trial runs in a clinical trial duplicated in an Excel spreadsheet on an employee’s PC; an email received on a personal mobile device from a work email, is by accident forwarded via a personal gmail account to another employee. Clearly the list does not stop here…

Okay, there are technical solutions out there to address a part of the problem using some type of ‘data discovery’ and ‘data loss prevention’ mechanisms, or which some use a form of clever ‘finger-printing’ mechanism to recognize common patterns in data. One that I’ve come across is an adaptation of that used originally to detect plagiarism in universities to ensure that the work of the student or researcher is original. However it is not easy with personal data, because apart from that which is labelled as Personal Identifying Information (PII) in the EU Directive, to be Regulation. Personal data can be anything that individually, or combined, can be linked to an individual. The effectiveness of such a technology is dependent upon its configuration to find personal data. First it needs to be super smart, and secondly the configuration needs to be live, i.e. reviewed, tweaked and updated continuously by dedicated experts.

It is not enough!

What more can you do to protect your organization’s personal data? Do you have any low-hanging fruit? Well following is a couple of security related things…

  1. Isolate corporate email – the only way to send email to and from a corporate email account is either by restricting to access via VPN which would not make you very popular, or using a product such as SecureMailbox (Swedish) which is a cloud service that works in a protected shell and does not permit forwarding of emails if the recipient does not have a SecureMailbox account. It also has Privacy by Design (PbD) principles such as emails can be set as  ‘burn after reading’,  ‘for your eyes only’, ‘expiration date’, etc. It is a great way to classify email content. What I really like about the product is that the security is wired into the DNA of the product without costs to usability, another PbD principle. To roll-out the product in your organization is just to use the product using your existing corporate email address, nothing more.
  2. Restrict use of file sharing to corporate standard – you may think this will make you unpopular, but as long as you have a standard your employees will be happy, they just want an easy life in their work that is complicated enough. Netskope have an army of experts evaluating file sharing and other cloud products, including Dropbox, you can use their service to identify what is being used in your organization today by your employees, and use Netskope services to give you better control over file sharing.

But I’ve already done the above!

And you still have a problem with the ‘unknown/unknowns’. I know. So here we come to the real point of this article, and that is addressing what I call the ‘inside-out’ aspect of running a privacy program. It is about ‘weaving privacy into the fabric of your organization. This is about getting to each and every employee the wonderful feeling when they realize that they collect and process personal data, but had no idea before. It is about collecting their realization/awareness in an structured format so it can be analyzed and moved to the ‘known/unknowns’ mentioned above, it could be a separate project that necessitates the removal of data collection points/processing activities, or/and coded as YELLOW or RED, or what I call  the ‘bottom-up’ part of a privacy program where personal data is organized into discrete packages, moved up into the privacy program level, which I call the ‘top-down’ part, and finally assigned owners/accountability.

If you want to know more about the ‘inside-out’ and weaving privacy into the fabric of your organization, you can contact Privasee and ask about the Privasee DOVE.

If you want to know more about rolling out a privacy program, or components of a program, you can contact Privasee and ask to speak to me directly.