I’ve recently been in several meetings where a Data Protection Officer (DPO) or internal legal advisor has been discussing GDPR with IT team members. Interesting to see people with very different backgrounds and responsibilities discussing the various challenges of GDPR they are facing jointly. Several of the DPOs were keen to stress that a lot of the elements affected by GDPR are already in force as a result of existing country legislation created to comply with the 1995 Data Protection Directive. For them, GDPR was in many ways welcome, because it’s ensuring that organisations take their obligations very seriously - even if those obligations are already there now, but have perhaps been overlooked.
There were many interesting discussions and viewpoints, but I also noticed in many cases a disconnect in the how the two different worlds communicate on the same topic.
Let me give you one example that I think explains this. If an organisation has a detailed ‘Data Retention policy’ which states that data type x is kept for five years, does that just mean that the data is kept for at least five years, or also that the data is actively destroyed when it is five years old? Several DPOs/Auditors spoke of an existing retention policy with the clear assumption that the latter is the case. No-one from the IT teams wanted to challenge that, and explain that although the retention policy was there, it wasn’t driving any active removal of older data. The IT teams' understanding was that data had to be retained for at least this time period, but not that it had to be destroyed when it passed that age.
With GDPR, these conflicting views on what a retention policy means will be exposed, and will need to be resolved - the sooner the better. While document management systems normally have a built-in retention period that focuses on removing old data, the majority of IT systems do not, and so organisations will be looking for technology solutions that they’ve never previously thought they needed.