Do you know what personal information your organisation holds on EU citizens and residents, and how to locate it quickly?
This is the challenge posed by the incoming EU General Data Protection Regulation (GDPR). The answer is to be in a place ‘infrastructurally’ where you can handle everything from Subject Access Requests (SARs) to Right to Be Forgotten (RTBF) requests. It may sound difficult, but help is at hand to locating this data and managing this appropriately.
Under the GDPR, you could get a range of requests from citizens, residents or regulators to report on, disclose or delete specific personal information. RTBF requests, for instance, could prove particularly thorny because of the work involved in locating and deleting data. Alternatively, you might be required to transport that data if it’s not stored legitimately, is no longer accurate, if it’s exceeded its retention period, or if you don’t have the subject’s consent to hold onto it.
So, how do you go about tackling data deletion and portability for unstructured data such as audio, video and social media, as well as structured, database-centric information? If you can get it right, the process of Defensible Disposition – legally disposing of over-retained information – is a good first step to identifying and deleting this data.
And by doing so, not only will you benefit by adhering to GDPR requirements, but you can also lower your storage costs and business risk as you only store and back up the data you need to.
Achieving Defensible Disposition with GDPR
Defensible Disposition calls for a comprehensive approach to information management. This is something that Micro Focus can help with, using its comprehensive suite of GDPR-ready technologies.
Micro Focus has designed two specific data classification technologies that enable organisations to carry out Defensible Disposition in an automated and auditable way. Micro Focus ControlPoint, for unstructured data, and Micro Focus Structured Data Manager for database information can automatically identify structured and unstructured data for disposition that may be subject to RTBF requirements.
Once identified, organisations can then delete, rectify, anonymise, pseudonymise, suppress or encrypt personal or sensitive data. The tools can also be used across archives and backups to make sure personal data is not being retained inadvertently.
David Kemp, Specialist Business Consultant at Micro Focus, explains that these solutions can quickly isolate and identify personal data through classification and indexation, in an auditable format. It does this by using metadata, which doesn’t disturb the source where the personal data resides.
Structured Data Manager and ControlPoint both use a concept that Micro Focus calls “management in place”, where only the metadata of the personal information is captured and stored centrally, but not the information itself. “Hence there’s no need for costly duplication or storage if you use the Structured Data Manager and ControlPoint unstructured data facilities,” says Kemp.
“Once the metadata is captured, you can apply the rules set by regulators and interpreted by internal or external counsel,” he adds. Through this “policy enforcement”, it’s possible to delete or change personal data in its metadata format with great accuracy, and minimal disruption to your mass data sources.
Finally, says Kemp, the tool you use to carry out these tasks is the Micro Focus Content Manager. This also provides evidence for the data subject (the citizen or resident), as well as the regulators, investors and employees, that you have taken the appropriate compliant action.
So, with the right technologies and information management strategy in place, you can confidently tackle data deletion and portability under GDPR.