The GDPR regulations came into operation exactly 20 months ago, in May 2018. In the same way that new parents start to appreciate the emotional challenges of toddlerhood at around this same timeframe, so too are organizations now beginning to experience what GDPR non-compliance means financially.
Carrefour and its banking arm were fined over €3m ($3.7m) by the local data protection regulator, Commission nationale de l’informatique et des libertés (CNIL), for multiple breaches of the GDPR earlier in 2020. By the end of the year, Ireland’s Data Protection Commission (DPC) had issued Twitter with a fine of €450,000, for failing to promptly declare and document a data breach under Europe’s General Data Protection Regulation (GDPR). Tech firms must be preparing for an avalanche of fines too. Facebook has reportedly set aside €302 million for possible fines from the Irish DPC, for violations of the General Data Protection Regulation (GDPR).
Our experience of speaking with companies interested in implementing information lifecycle management (ILM) strategies is that many will struggle with GDPR compliance. It’s because either their business processes are still not correct, or if they are correct, then they are not being followed fully by employees. For example, when we start a project audit and begin to analyze customer data, we discover discrepancies like sales orders and deliveries that were made many years ago that have not been closed off as completed and thus the data for these types of documents is not in a state that it can be deleted.
From an ILM perspective, if the data for the type of documents have neither a business use nor a legal / regulatory requirement to be retained, then the purpose for that data has expired. It should be destroyed in accordance with a strict ILM strategy to avoid challenges of risk and the total cost of ownership (TCO) of retaining that purposeless data.
The problem of retaining data
From a GDPR perspective, if the data’s intended purpose for these documents has expired, (busines and regulatory use) and there is personal data held in these documents, then that data or documents must be destroyed to ensure GDPR compliance. For instance, sales documents and deliveries usually hold customer details including name, address and telephone data, which is personal and identifiable data.
Returning to this example, larger companies often have hundreds of thousands of records like these, dating back over many years. The problem of retaining data that should be deleted usually arises because the business process of how to change the status of sales documents and deliveries to fully complete the sales document was either not defined from the outset, or is being overlooked by employees.
For instance, if a company is dispatching goods to customers, as soon as products are received, the delivery needs to be completed. If the process is poorly managed and delivery left as open - and if this happens for every order on a large scale - the company could soon have 500 Gb worth of incomplete data records related to deliveries. This can create challenges specifically with regard to 1) the operational costs for storing data that should no longer be retained after its retention period (the period after which data has no business or legal purpose), 2) the legal costs of retaining personal or identifiable data after its retention period, 3) the performance of systems due to data saturation and additional risks.
Sounds incredible, but it’s something we see regularly. It’s also just as common to find a lack of consideration for ILM in greenfield implementations as in legacy systems. This is because the priority during greenfield implementations is always to get the system up and functioning. Managing the ongoing information lifecycle is never at the forefront of anyone’s mind, or at least, it takes a back seat.
Destroying data in a Covid-19 world
If a business is using SAP, the situation is further complicated. Data must be stored in a certain state and data processes correctly followed for the final stages of information lifecycle management (data deletion) to be automated. Let’s consider an example, a laptop retailer. As part of the sales workflow, their delivery records must have been completed and invoices posted to the finance team. Once this is done, the record can be fully completed and deleted to ensure GDPR compliance.
The retention period or lifecycle of the data is defined by the purpose it serves and this can vary greatly between organizations. In the laptop delivery example, data might need to be held for 3 years in case of a complaint or problem with the devices. Another manufacturer might want to retain information on product parts for longer still, in case of a recall.
This simple example highlights that when business processes are left incomplete, introducing ILM and data archiving becomes much more difficult – because it’s more difficult to spot where there are errors and this adds a layer of complexity. In practice, companies end up having to close off all these records manually, talking more time and increasing project costs. Legacy delivery data might not pose too many compliance problems but when dealing with financial information, or complex machinery with parts needing to be tracked over many years.
Although the GDPR came into operation two and a half years ago, a surprising number of companies are still not yet properly compliant, especially in circumstances whereby data is not held in the correct status to be deleted using standard tools. Having assisted on numerous archiving and deletion projects for customers to rectify issues with lawful data retention due to business processes not being completed, we are well positioned as an organization to make these observations. TJC has provided practical guidance and management solutions to resolve problems due to data and process inconsistencies in these cases. It involves working with the business team to set the conditions for closing down old sales orders and financial documents.
Now, due to Covid-19 and the financial pressures this has created, companies will need to adopt automated information management solutions that can identify and manage data to be destroyed in the most cost-efficient way possible and realize maximum ROI. This means having correct processes in place to identify relevant records as complete and then flagging them for archiving or deletion. Doing this takes effort and a clear understanding of data and its usage. Firstly by identifying where the data is and then starting to define an ILM strategy specifically for the destruction phase of that lifecycle. In doing this, if and when auditors do question their data for GDPR compliance, the organization can demonstrate it is taking reasonable steps forwards.
Mani Singh, SAP Consultant, GDPR Compliance Expert, TJC-Group