How should you use technology to become GDPR compliant?

A quick Google search of ‘GDPR’ results in a whole host of services purporting to help organisations become compliant. Unfortunately, the vast majority of these services are little more than different ways of saying ‘consultancy’. With the clock ticking on implementation, the pressure is on to move beyond talking to actually using technology to answer, and capitalise on, the GDPR challenge. 

So, what technology options are available for organisations? First, naturally, each option depends on the nature and use of data generally, and personal data specifically, along with the systems and processes currently in place.

GDPR has key demands that affect the technology choices and technical approaches that a business has to make. However, it is not the only regulation on the horizon that will affect personal data management and use. The e-Privacy Directive is in the pipeline and will cover all aspects of data, as well as personal data, and will place added demands on tech teams seeking to implement compliance solutions. As a result, any solution you pick must also be flexible enough to adapt to new legislative challenges.

Build or buy?

By its very nature personal data is often used by most functions in a business. This creates fundamental issues around control. Therefore, the first action should be to map where your data is, how it’s stored and used. This can be a highly complex task and will form the basis of your approach to deciding on the right technical solution for your specific circumstances.

Basically, you have a couple of high-level options. Essentially, this boils down to either working with you existing systems and patch, update and build to achieve a compliant status, or take this opportunity to update your tech stack.

If your legacy systems are already creaking you may consider moving to cloud services as far as practically possible and taking this opportunity to update your tech stack to ease your compliance tasks. Many organisations will make this choice as the enforcement of GDPR demands that they are accountable for all personal data within their control and this will be the easiest way to achieve, maintain, and ensure, compliance.

If you are tempted to adopt cloud services it is worth pointing out that even if the cloud services state they are GDPR compliant this does not mean that a business using the service will automatically become compliant.

The key is whether you are a Data Processor or a Data Controller of personal data. In the case of most cloud services, they are Data Processors and, as a result, they don’t have the same levels of responsibility as Data Controllers. The businesses using cloud services are usually Data Controllers and, therefore, need to ensure their management of personal data is compliant with the regulations and that they have the ability to demonstrable evidence to provide to the Information Commissioner's Office if they come knocking.

What to consider

Factors you should also consider when you’re picking your technology solution include how difficult it will be to maintain data synchronicity across all your services and create auditable records of data management. Add to this, the time and effort involved in managing data requests for deletion, portability, contests of legal basis and editing, along with the complexity of coordinating incoming customer requests about personal data via multiple channels, and for many organisations the only option will be a fully integrated, flexible and automated platform.

Put simply, creating your own GDPR solutions can be very complex and costly to design, build and maintain. Privacy regulations will creep over the next few years and maintaining systems to comply will become increasingly onerous.

Using an API enabled platform

If you’re planning to purchase technology, one of the most straight forward solutions is an API enabled secure platform. Not only is implementing this type of solution much faster and cheaper, it can, depending on the technology, automatically include audit trails for regulators, and aggregation tools that enable the creation of a single customer view.

Another factor to look out for include whether encryption is in built. This will relieve a huge burden on your developers, as they will only have to focus on the security of the in-house system.

Connecting internal systems to your solution will vary in complexity. For some older legacy technology systems, specialist technical assistance could be required. The audit at the beginning of your process should reveal this need and allow you to factor in the resources required. Again, an API enabled platform will mitigate the amount of time your developers and IT professionals need to dedicate to linking up your tech.

It is important to remember that all unconnected data, such as spreadsheets, need to be added to your data management platform and the use of this data needs to be carefully monitored. Any changes to personal details or requests for copies will need to be reflected in the spreadsheets. If your organisation is heavily reliant on unconnected data, it makes sense to move your records to the cloud.

Other considerations beyond the technology

Of course, buying in or building technology is just one piece of the GDPR puzzle. Privacy by Design principles should be applied across your entire organisation. The security of personal data should become the highest priority. This includes establishing data breach notification procedures, training staff on the correct management of personal data, and setting up processes to ensure that your technical systems have full visibility on all personal data. This means carefully managing scenarios such as the transfer of personal data to laptops or mobiles.

Many organisations will also need to appoint a Data Protection Officer. With all these issues to balance, it makes sense to consult a lawyer regarding your obligations under GDPR and to check whether your new processes and implementation of data management technology is fit for purpose.

Looking ahead

As mentioned, GDPR is just the start of a huge change in how personal data is used and managed. The e-Privacy Directive is next on the agenda and, like GDPR, will evolve as it is tested.

Therefore, above all, the data management solution you use must be flexible and capable of adapting. Consequently, I would strongly advise against building or trying to patch an existing in-house system.

A cloud-based SaaS solution which has in built encryption and is API enabled will be the most appropriate solution for most organisations. This will reduce costs and speed up implementation. The first step is to audit your systems, processes and data to quickly understand exactly what you require.

 Julian Saunders, CEO and co-founder, PORT.im
Image source: Shutterstock/Wright Studio