GDPR Misconception No. 4: Data transparency is easy

posted in: GDPR | 0

This post is also available in: Deutsch (German)

The Fridge
Whatever you might think about  the GDPR, it contains valuable ideas on data protection. However, there are some regulations and ideas that no longer correspond to today’s reality. The law shows the biggest deficit in connection with data transparency and information governance. More precisely, we need to talk about information transparency. Data transparency could still be described as feasible, but information transparency is a fine art. With KRM, we have been working in the field of information governance for years and know what it means to have your information under control as an organisation. Today, most organizations control perhaps 20% of their data. What does transparency mean in the context of personal data? According to the GDPR, as the person responsible you have to create a process directory or processing directory. They would have to enter their personal data or the applications in which they store personal data. In addition, they must record what happens to them, which evaluations are created, to whom the data is sent, and so on. Imagine that every Excel file that is recorded in individual companies must be recorded according to these principles. You say that is possible? O.k., that is at least theoretically still feasible. You immediately remember the good old card index boxes, because that’s what processing directories were designed for. It becomes exciting when such data is combined with external data without them being aware of it (see the example of recruitment in FC 2). Information formation often happens unconsciously, by chance, by carelessness, “on the fly”. This happens, for example, whenever digital address books are exchanged. will be. The best example is Microsoft Outlook.
Due to the trend towards storage of data in the cloud, personal data is permanently stored in the background. synchronized (have you ever wondered that people from your Address book suddenly appear in LinkedIn?). This can be controlled by yourself for the expert is hardly possible. Not to mention to find out where this can be done everywhere. happens. The basic principles of data transparency are stuck in the GDPR on the basis of the eighties. The EU simply did not do its homework here. Information governance is a discipline that has been developed and propagated for about 15 years by various organisations, teaching and research. The intelligent handling of data storage, information management, is not a new discipline at all. However, it was completely ignored in the GDPR. Unfortunately, information processing in most organizations has also remained at this level: Most companies deal with their data like shared flats with their refrigerators (see video). The main bulk of the data is still either hidden in the file system or the mail system is misused as a data management system.
Today’s networking of systems has meant that hardly anyone is able to see through the formation of information. When processing directories are created, they are almost useless even in simple terms. But as soon as complex cloud applications and distributed systems are involved they can no longer be realized. Even the 60/40 solution is a big challenge, 80/20 priceless. But since the majority of organizations are still trying to get by without a proper ECM/DMS system, mastering the data becomes an almost impossible task. Without a systematic approach in dealing with company data, the controllability of the data will remain a dream. Information management is also currently in a phase of change. On the one hand the analytical tools (“Data Analytics”) are getting better and better, on the other hand they are still far too little good to be able to capture unstructured piles of data sufficiently (in the context of compliance: seamlessly!). This means that you won’t be able to do without metadata in the future either. I.e. that an enterprise taxonomy must consider compellingly also the metadatas “DS-GVO relevant”. This can assume different forms, the step is however compelling and must be able to be illustrated afterwards also still by the systems.
The helpless attempt to keep one-dimensional processing directories in accordance with the GDPR leads to absurd results. This approach has already failed miserably in the context of quality management (“keep all your documents in one directory”). Such directories are already hopelessly outdated and, of course, incomplete at the time of publication (I would describe a coverage rate of 50% as high). In the DS-GVO there are various contradictions concerning the transparency of the processing. On the one hand the complete transparency of the processing should be guaranteed, which only with logging, i.e. because

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.