Enterprises often restrict their privacy management strategy to customer data only. Though it is the personal data of employees, spread across the entire company that may be causing the real challenge. Chris Brockmann, CEO of eccenca, explains how enterprises can master this complexity problem.
When the General Data Protection Regulation (GDPR) came into effect, adhering to its rules was probably one of the most dreaded tasks for every company. Today, many initial fears seem to have proven unnecessary. Initiatives that had started with ambitious goals have lost steam. The general public has not flocked to your inquiry website. And you may not have heard much from the call center you had deployed to handle subject access requests. In fact, you already may have re-purposed staff previously dedicated to managing GDPR compliance.
At first glance, this sounds like the GDPR has become the toothless animal some of us had hoped for all along. But not so fast! During the past few months, the GDPR has surfaced at a point, where most of us had not expected: Negotiations about severance payments. Of course, many organizations have employee agreements in place intended to take the sting out of data usage regulations. But laid off employees come to court with their homework done and done well.
How about your Employee’s Data?
There is one aspect of employee data your agreements could not fix and will never fix. It is the right to request erasure of data after termination of employment.
As we can all imagine, terminated employees are not your happy campers that are asking for their data out of curiosity. Former employees might carry vengeance and frustration. Often, they also have enough insight into your company’s internal workings with data to make your GDPR fire squad go ballistic. And the complexity of it does not stop here.
Personally identifiable data from customers and suppliers might be spread over a handful of disparate applications. But at least it can be clearly attributed to a specific subset of processes. With employee data, it is an altogether different story. Personally, identifiable employee information is literally everywhere. Just remind yourself that software generally logs the names of the creator and the several editors of a data set, process or document in its metadata. There really is no escape.
Do you have scalable plans and processes in place to deliver GDPR compliant deletion and documentation that is sustainable in court? Or is it your plan to sit it out and pay the price that might add up to 4 percent of revenue? Sure, so far nobody has ever been fined that amount. But erasure management could well turn out to be the “death by a thousand needles” for any organization. After all, managing the deletion of data is a complex problem that is by no means limited to employee data.
A Graph-based Solution can help cut through the Complexity!
Let us assume you already attach broad and well-designed legal stipulations to your employment contracts. But this does not ease the pressure on being able to report on where personally identifiable data is stored and processed throughout your company. Apart from the legal strategy, you need a systematic, technology powered approach to data governance that provides a solid footing when push comes to shove.
In a nutshell, your approach should at least include:
- a central catalog of all systems,
- a central catalog of all processes and its processing purposes,
- a central catalog of the legal basis, legitimation and your retention policy,
- an integrated index that allows you to identify personally identifiable data on the subject level as per each of the above,
- automation of documentation and reporting on your actions taken,
- an active governance and observation system that reports data once its legal retention period expires (scarcity requirement)
Enterprises often Restrict their Privacy Management Strategy to Customer Data only. Though it is the Personal Data of Employees, Spread Across the Entire Company that may be Causing the Real Challenge
What sounds like squaring the circle is far from being impossible. As a software vendor that helps its customers master complexity in a fully digitalized world, eccenca is specializing in projects where data sources are abundant, black boxed and heavily siloed. We found that using knowledge graph technology provides the transparency needed to evaluate, manage, visualize and link data across a company’s disparate IT landscape. Our graph-based approach also provides the web-scale versatility and scalability to expand documentation as your challenges grow and change.
In terms of the GDPR, the knowledge graph approach gives your organization the means to establish sound documentation of personally identifiable data and puts it into context with applicable governance rules. Thus, the eccenca solution enables you to fully document, automatically validate and systematically trigger GDPR compliance processes. After all, litigations will always cost you more than the effort to employ an automated compliance management solution.