DataReg

Understand what you have and where it is. There’s not going to be single solution but if you can gain visibility, you can see the gaps, and start remediation projects to fill them over time.

A3. First step = data amnesty. All departments share the data they hold across all technology

Focus on the data and its business value. Use GDPR as an opportunity to clean up your customer data and internal processes around it

You need to invest time in building common understanding. Many people have incorrect preconceived notions about what GDPR is all about and it takes time to break through those notions to a shared position.

Good example in B2C space was JD Wetherspoons in the UK. They have culled all customer data and are starting again. Extreme case, but safest based on their size/brand/revenue

A3. Start to communicate internally!

A.3 The main relationship that needs work tends to be between IT and legal. They are both precise disciplines, and need to work together, but sometimes a third party is required as a "translator" as it can get frustrating for both sides.

Thats interesting - I heard the same for RNLI

A3. You cannot achieve compliance unless you know where the personal data resides across your systems. Data Mapping is a critical step to success.

Tamzin, very interesting that you have suggested legal & IT. I have seen Marketing taking the role in some other companies

Agreed. Start with Article 30 and data inventory/mapping

Interesting Louise - so marketing is having these conversations with IT? How is it going?

https://ico.org.uk/m...

Going well from what I know. Marketing is going to be carrying the weight of data acquisitions, opt-ins, retention and so all marketing activities must now be re-engineered around the legislation

Q2.The thing I'm hearing most is a concern about how to manage retention periods, and how to select data for deletion.

Q2. We're going through this process internally, and you really have to have a good idea of what you process to be able to determine what should be deleted when. It's a huge task!

A2. There are still issues with internal silo's between ownership and budget between IT, legal and risk & compliance

A2. A lot of customers I have presented to are very concerned about the potential fines being imposed. Additionally a consistent talking point is how customers can deal with SARs with particular attention to RTBF.

A2. Biggest concerns in my space is outbound marketing, especially in B2B. B2C can attract opt-ins through lifestyle content, however B2B buyers would be less likely to opt-in.

By RTBF I mean the "Right to be Forgotten" for those unaware of the acronym.

A2. Agree with Louise, the loyalty card space is working out how they retain customers with having explicit consent

managing consent through multiple third parties A2

A2. I also speak to a lot of customers who are challenged with where to start on their GDPR compliance journey.

@VritasTechIG managing child consent at scale

Great answers on our #GDPR Crowd Chat. Thanks for your contribution so far.

A2. Yes Simon, data mapping and article30 creation has taken longer than expected for many.

One of the biggest concerns is figuring out the right things to do in a GDPR program. It requires a mulit-faceted, multi-functional approach. @VeritasTechIG

Scope of data sources and the ability to be able to effectively search these for personal data.

A4. Whilst most organisations are scrambling to become compliant, I think that we need to remember that the GDPR is here to stay. Once we're compliant we have to stay that way. I think the threat is that companies lose focus after May 2018.

Non compliance through lack of education. GDPR applies outside of the EU and everyone should be aware of this.

A4. Making assumptions - especially if they have a cloud service provider and assume the data held is their compliance obligation.

Q4. The greatest threat is being paralysed by not knowing where to start. The ICO have explained that they are there to support, and so businesses who can show they are taking the steps to be compliant will see greater leniency

A4. I would suggest brand reputation / financial impact / customer loyalty as a result of a severe data breach of personal data - organizations do not want to be in the press for all the wrong reasons.

Agreed Anna. Many companies think it will change based on Brexit, not recognising that GDPR is beyond that

A4. The biggest threat is that enterprises think they have it covered, existing data governance is good enough. "My customer and employee applications have good access controls, so I am good"

Sumant, If anything the talk of the town is that the largest companies are the ones who should be most fearful and are the ones of which examples will be made

I definitely see GDPR as an opportunity - its the governance project organisations need to see as a business benefit

An opportunity. Rather than keeping everything forever, as most organizations have traditionally done, it empowers them to defensibly delete or expire data over time creating operational efficiencies.

A1. Absolutely an opportunity for customers to take control of the data in their environment, become compliant with the regulation and realize additional ROI benefits by removing ROT data from the estate.

An opportunity. It's great to have budget to put your house in order. Companies are only now allocating serious budget to a really important task that has been neglected.

A1. It's good to see the ICO blog support what is required, as much scaremongering is in the news. https://iconewsblog....

A1. Although it's forced, it is an opportunity for businesses to properly take stock of the data assets they have

A1. Agree David, the ICO blog is an ideal place for customers to leverage as a true authority on the matter.

A6. Often internal behaviour can pose huge risk. We see databases dumped into unstructured filers all the time - often unseen and forgotten.

A6. You bet! Most organisations don't know what they hold, which is a smoking gun, but they are also often hazy about what people are doing with data, or who they are giving it to. I am sure most organisations will have a few surprises!

A6. So having visible data maps, of the actual environment - along with the article 30 record help identify these gaps.

A6. I've spoken to too many customers recently that do not think they have an issue with personal data residing on unstructured file systems - I think they could be in for a shock taking that posture.

A6. Depending on the final version of GDPR and where the line is between B2B employee data and PII, even business IP tracking could be risky

A6. The other will be personal devices - many take work home, email has been used to share customer lists from events etc. The legacy data is where a lot of unknown issues reside.

A5. I see it as gaining agility and innovation in bloated IT systems as storage where they have been used as a dumping ground for years - as well as being compliant!

A5. Although marketing data will ultimately reduce, content creation and segmentation should be stronger based on those smaller numbers. Marketing results should therefore improve and deliver greater ROI

A5. Life as a privacy officer can mean permanent fire fighting. Having control of data compliance means more time to be strategic about data, and less time spent sorting out problems on the back end.

A5. Being compliant could provide competitive differentiation e.g. an organization you can trust to do business with.

A5. The upside is that you now know what data you have and start to realize the value of that data. Especially the data sitting in your large file shares and cloud storage!

A5. I think Simon is right as people see the increase in breach - organisations that are good custodians of 'their' data - consumers are worried how their information is leaked and often money lost

There are many - Storage optimization, operation efficiencies, and compliance with other global data privacy regulations.

bring IT in line with other industries to make IT safe...