This second blog in a series on the impact of GDPR on IT operations examines the IT requirements specified in or implied by the new regulation.
There are three main areas that IT operations must focus on in order to facilitate an organisation's compliance with GDPR. First, organisations must implement "appropriate technical and organisational measures" that support data protection principles. Importantly, this includes "at the time of the determination of the means for processing". In other words, data protection must be considered at process conception — this is the principle of data protection by design and by default.
Since for most organisations IT operations are the primary means of processing data, this principle underpins the entire design, build and run sequence of IT. IT operations must bake in data protection to everything it does, including an assessment of impact from any changes it makes to data processing (in Data Protection Impact Assessments, see blog #1).
The second area where IT operations are impacted by GDPR is in the consideration of "state of the art". Companies are obligated to "take into account state of the art" in designing and executing their data protection responsibilities, and in implementing security measures. This raises the questions: what is "state of the art"? Who decides? And how often should organisations review their position? GDPR offers no guidance on this, so organisations will have to decide for themselves. Also, note that "state of the art" is not mandated by GDPR – cost, risk and context are other considerations – but you have to know what it is in order to take a decision not to implement it.
Organisations therefore have to maintain a view on the latest in IT operations technology and processes. This will challenge organisations that have ageing and/or undocumented IT operations, especially in combination with the requirements of data protection by design and by default.
The third area of impact from GDPR is not specifically referred to but heavily implied, and that is information life-cycle management. Personal data (the definition of which is very broad under GDPR) is pervasive, so tracking it throughout the organisation is imperative. Personal data is also durable, so keeping tabs on it over time is also essential. This includes back-up copies of data, which may be stored off-site and offline. Data retention is also a key consideration under GDPR, which means data needs to be deleted after it is no longer required.
Under the rights to rectification and erasure (also known as the right to be forgotten), data subjects can demand data be corrected or removed, which means an organisation must know the locations of all instances of personal data. However, the right to erasure is not absolute and so organisations must know when and to what extent data should be erased. IT operations therefore find themselves at the sharp end of facilitating compliance with some of the most technically challenging aspects of GDPR.
The third and final blog in this series will examine the thorny issue of data residency, data transfers and the use of cloud in the era of GDPR.
External Publication of IDC Information and Data — Any IDC information that is to be used in advertising, press releases, or promotional materials requires prior written approval from the appropriate IDC Vice President or Country Manager. A draft of the proposed document should accompany any such request. IDC reserves the right to deny approval of external usage for any reason. Copyright 2016 IDC. Reproduction without written permission is completely forbidden.