GDPR: Don’t Forget to Breathe

In Part I of this series, I summarized a talk by Nordea on their journey to GDPR compliance during an executive dinner in Copenhagen.

In Part I of this series, I summarized a talk by Nordea on their journey to GDPR compliance during an executive dinner in Copenhagen. Here in Part II, you will read about some of the discussions that followed that specifically touched upon the role of data masking in the GDPR.

During the second half of the event, we asked all the guests to talk about where they felt they were on their GDPR journey. There were a broad range of job titles - including Chief Data Officers, Heads of General Counsel, Heads of Risk, CIOs and Compliance Officers - and it was interesting to hear different priorities depending on the business function. IT were motivated in understanding, "How data can be protected?" Legal seemed to be concerned with, "Making the business understand its responsibilities," whereas Compliance asked where the problems and issues were, as they related to business process and data", and Risk, as you would expect, worried, "What if we fail to be compliant?" As the conversation moved to focus specifically on data, we found common ground and one guest asked a fascinating question:

"If as Delphix suggests, and test data can be irreversibly anonymised, does that exclude it from GDPR?"

The answer is yes. If you mask data using Delphix, and can prove that this dataset is irreversible, then you no longer need to consider that data for GDPR compliance. By definition -  the data does not contain personal information. This excludes it from data requests, from breach reporting and from process auditing.

A different guest asked, "What happens if there is a business need to reverse anonymised data back to the original values?" In this case Delphix uses a tokenization-masking algorithm which uses a lookup table (stored independently of the data). The tokenized data can't be reversed without the lookup table, which itself is encrypted and stored in the company's safety-zone. Here GDPR does apply, but in the case of a breach you are able to demonstrate compliance with Article 30 of the GDPR:

1. (b) 'where possible, a general description of the technical and organisational security measures referred to in Article 32(1).'

Knowing where to start with GDPR and who is responsible is difficult and, as already mentioned with many parties involved (IT, Legal, Compliance and Risk), it's apparent that data protection is everyone's responsibility. All our guests reported differing states of readiness - from Nordea who have already invested five years of considerable effort into the process - to some who have not even begun. Delphix dramatically reduces the amount of time and cost to manage and mask data; but, even with our magic source, time is running out. Once deployed, customizing and testing masking algorithms could easily take six months. This means if you haven't selected masking technology by November 25th 2017, you could be in serious danger of not being compliant six months later on May 25th 2018.

In the final part of the evening, I asked our guests to write down answers to three questions (anonymously of course!) as a bit of fun.

1. What is your biggest challenge to GDPR compliance?

The most common answer was scoping how much work is required in order to be compliant. This was followed up by a lack of awareness and understanding of the legislation itself. Other challenges included lack of resources, overall complexity, the need for true collaboration and perhaps my favourite - balancing the imperfect. This is a great recognition that GDPR compliance will never be 100% done, and the systems, process and people will never be 100% right. GDPR is about doing your best to protect your customer's data.

2. Write one word that best describes GDPR collaboration between IT, Legal, Compliance and Risk?

With so many different functions in the room, I knew this would generate a range of responses. They included inspirational and bliss to challenging and missing! GDPR truly crosses functional roles perhaps like no other legislation. My preferred responses though was opportunity and data. This is a chance for organisations not just to improve data protection but review how they manage and deliver data to those that need it. Organisations that deploy Delphix see projects accelerated and cost removed from the business, just by delivering safe, quality data faster.

3. Give one piece of advice to someone joining a GDPR project?

Run away now was perhaps the least risky answer provided! However there were some very well considered responses.

  • Focus on your goal with patience
  • Maintain a can-do attitude when working with massive regulatory projects like GDPR
  • Understand where your data comes from, where it is, where it goes to and who has access to it
  • Look at how we can gain from this as an organisation to improve our process
  • Good change management is paramount
  • Make an effective link with both data and governance

But the best piece of advice?

Breathe in, breathe out!

There is a lot of fear, uncertainty and doubt broadcasted from the media around GDPR and a lot perpetuated from vendors trying to sell their wares. However there still is time, and there is a mountain of best practise and advice available. Delphix can alleviate a big chunk of the heavy lift with GDPR. And, our ability to protect and deliver data fast can actually turn a compliance cost into business advantage.

If you found this interesting and want to learn more about the Delphix masking solution for GDPR click here