Why you should know where your data is: two practical use cases
The General Data Protection Regulation (GDPR) includes a wide range of privacy related requirements which will impact all areas of a company, including legal, compliance, information security, marketing, engineering, and HR. These changes will require companies to have a clear understanding of where their data is in order to ensure GDPR compliance.
Use Case 1: A data subject requests a copy of their data.
Article 15 grants data subjects the right of access giving individuals a right to obtain confirmation as to whether personal data is being processed about them or to request a copy of that data.
Your organization collects data about its customers so that it can provide suggestions to enhance the customer experience. If a customer requests a copy of their data, will you know where to find it? If they ask additional questions about their data, will you be able to answer them?
Use Case 2: A global business transaction.
Article 46 allows for data transfers to non-EU countries by way of mechanisms that provide appropriate safeguards. Appropriate safeguards include: Binding Corporate Rules (BCRs), Model Contract Clauses (MCCs), also known as Standard Contractual Clauses (SCCs), and legally binding documents and enforceable instruments between public authorities or bodies. What about privacy shield?
Your organization is about to close a global deal where Personal Information data will need to be transferred out of the EU to the US based on a subsidiary who uses a vendor in Asia to process that data. Are any measures in place to ensure your team will not overlook certain requirements as the data travels across countries?
Data inventory and mapping allows organizations to pinpoint exactly where data is located and stored, and draws the connections between complicated data flows. Having an easily accessible, centralized inventory will allow organizations to quickly identify which assets or systems manage the processing of the individual’s data, making it more efficient to investigate and respond to that individual’s access request (Use Case 1). Additionally, having a holistic picture of where data is and where data goes will allow for mapping which jurisdictional requirements apply throughout the data lifecycle (Use Case 2).
If you need help with your data mapping efforts, TRUSTe offers a solution. Learn more.