Find Me A Gift is an online retailer of gifts that is based in the UK. If ever there were a company that would be subject to the GDPR it would be an organization like Find Me A Gift and indeed the company has been diligently preparing for the regulation. Yet during a data analysis it was still surprised by what it found — metadata referring to warehouse staff, for example. “This was imbedded in our system and held staff details that had worked with us since our system was launched, some 10 years ago,” said Logistics and Operation Manager Tim Stevens. “This data was utilized to calculate an average pick/pack rate by staff members in our warehouse using their personal sign-in details. The data held personal information of staff that had been registered on our system.” The task now is to remove all the personal references to staff from the company’s history, he said. And going forward, Stevens added, they’ll be anonymizing any future data held.”
GDPR is months away and yet even well-prepared companies are finding last minute surprises as they race to the finish line. Part of the problem is that the regulation itself is so complex; another part is the surprising range of data that fall under the regulation.
Let’s begin with the deep sea that is unstructured data. We think of personal data living mostly in structured data sets, which can create its own set of challenges for an organization to find where and how they’re using personal data they’ve collected, Rob Perry, VP of Product Marketing at ASG Technologies said. “However, GDPR protected personal data can appear in many places other than these structured resources. Word documents, pdf files and images of account statements, checks, and invoices are obvious file types but there are many more. Large amounts of content is being gathered in data lakes that would include posts on social media channels such as Facebook, Twitter and LinkedIn, along with blogs posts and other informal communications,” he said.
Other categories include click streams, search and browsing history — despite seeming far removed from GDPR — can also fall under GDPR in cases when people search for personal information, like their home address, and label it as such, Perry said.
Related Article: 5 Experts Share Advice on Preparing for GDPR
Water Meters and Documents
Even water or gas meters can contain information that could also be classified as personal data regarding location or consumption of services, according to Patrick McGrath, director of Solutions at Commvault. As McGrath makes clear the question of what falls under GDPR gets even more complicated as different formats and channels are considered.
“If our ultimate aim is to protect customers and employees from loss or misuse of their personal data, then we have to expand our idea on where this information can be held and what form it can take,” said McGrath. For example, within a document, signatures and even fingerprints can be stored, both of which could be used for identity theft. “Voice recordings, photos and video of a data subject also qualify as biometric data and could be used to determine identity. They could equally be analyzed to determine whether the content of the recording could be translated into text, perhaps containing additional personal data.”
Here are a few more areas to consider, according to McGrath.
Consider just the issue of consent with IoT, said Richard Henderson, global security strategist at Absolute. GDPR requires data collectors and controllers to demonstrably show that clear and free consent has been given by the subject to process and use that personal data. Consent can not be an opt-out mechanism under GDPR. “How will IoT devices be able to deal with a subject wanting to withdraw consent?” he said. There are other problems as well, he continued. “Think of the use case where a store has embedded sensors throughout their store to determine where a shopper spends the majority of their time, where they paused to look at a promotional display, where they didn’t go — unless that data has been fully anonymized at the source of collection, can those sensors truly stay in compliance?” This is not a simple issue, as much of the data that is collected is only valuable or monetized if it isn’t totally anonymous, Henderson said.
Related Article: 9 Ways to Jumpstart Your GDPR Compliance Program
The issues surrounding the connected car are similar, Henderson continued. “Much of the data around where a car owner goes, when they use the car, how they drive, what entertainment they consume while driving… all of this is valuable data,” he said. That raises the question, will car manufacturers from other regions outside the EU provide unique software and firmware builds for cars destined for the EU? “We do see many car makers already able to uniquely tailor cars via software loading for individual markets, but what happens if an EU citizen visits the US and rents a car and finds their unique info collected without their express consent?” he said.
Audio and Video
This can be a grey area, Perry said. “For example, there is a question of how private use of security cameras is implicated. If a person’s face appears on a recording, do they have rights?”
Most global brands operate hundreds of websites, microsites and apps with designated people and teams responsible for setting up tracking, said Katrin Ribant, CSO and co-founder, Datorama. “In some cases, there are unique initiatives that are time and geography sensitive and require separate microsites or apps. Having the checks and controls in place to make sure that no data that falls under GDPR gets captured in the custom set ups of these initiatives is a challenge. It requires a mix of technology, to capture and analyze the data at scale, and processes to make sure everyone in the organization is aware of the guidelines for GDPR compliance.”
It could be sitting in cold storage or in a tape archive or in AWS Glacier cloud storage. Wherever it is, “It’s really hard to go back and delete customer data in backups whilst still maintaining the integrity of the backups and/or avoiding having to build a backup ETL and rewrite process,” said Ben Bromhead, CTO at Instaclustr. “This is one that will hit 100% of companies.”
Under GDPR, corporate emails are considered personal emails of employees and are not owed by the company, according to Tevora’s Privacy Practice Lead of Enterprise Risk and Compliance, David Grazer.
Sales prospects data
Either written on paper or digital, that is collected by traveling sales people on personal notepad applications, such as the iPhone Notes app, falls under GDPR, Grazer said.
Printers, scanners and copiers
“We spend so much money on cybersecurity and sometimes forget what’s just lying around,” said Chris Dance, CEO of PaperCut. Audit trails, watermarking, digital signatures and electronic archiving can help pinpoint and create accountability for a physical document’s leak when there is one, he said.