Podcast: Play in new window | Download
Full Episode Transcript
Hey there and welcome back. I am Rocio Baeza and I’d like to welcome you to today’s episode. We’re going to be talking about GDPR customer data. Do you hold data that is subject to the GDPR? I want to start of with a story. So, I think that it’s important to clarify this and by clarifying it early on, I think your journey in reaching GDPR compliance for your organization, it’ll be smoother. It’ll be with less headaches, less frustration and less redos. So, by clarifying what is the data that is governed by GDPR, what is the data that has to be protected? What is the data that we have to focus in on? By establishing that, you can create scope so that your GDPR efforts are just targeted at that scope and you’re addressing that as a minimum because you’re required.
Then hey, if you want to take the option of expanding that out so that all of your systems or the entire environment is GDPR compliant, you have a way of doing that, but I feel like if we just focus on this very specific chunk, we can successfully get to that milestone faster and then it’ll be easier for us to broaden that out if that’s an organizational goal. Before I dive in to today’s topic, I want to share just a story where it actually took me a while to realize this. If you don’t know my story, I didn’t go into the cybersecurity space right after school. This is something that I fell in to with the help and the patience and the grace of my managers, my mentors, my advisor.
I ended up learning more about the space. It’s something that I developed a passion for and I love doing this. I love doing this. I see myself doing this for many years to come. Just having this opportunity, this platform to be able to talk about that and share with others what I’ve learned, it’s something that is important to me. Okay. So, going back to my story. So, early on in my cybersecurity profession, one of my responsibilities was to help facilitate a PCI audit. So, basically my organization at the time had to comply with PCI. That stands for payment card industry. So, if your organization is processing card payments, this is something that you have to worry about.
So, I was tasked with making sure that when our auditor … So, outside auditors would audit our organization on a regular basis and my initial task was making sure that the auditors had what they needed, that we had scheduled all the interviews that they needed to have. That if there were any information requests that the teams were providing that in a timely fashion. That this documentation was being reviewed for completeness and accuracy before handing that off to the auditors. I remember that my first few rounds of these types of audits, I realized this is overwhelming. My organization at the time was large. It serviced lots of countries and it was continuing to expand.
As a result of that, there were just a number of different IT resources, IT systems that were in place to support the breadth of the business and it just seemed like, “Oh my gosh. We’re never going to get there. We’re never going to be able to say that our environment, all of our systems are compliant with PCI.” For a long time, I felt that that was a rat race that I was going to have to be in for a long time and that caused overwhelm that I felt discouraged. I felt like I’m not set up to succeed here. I actually considered going to a different field because I felt that I didn’t have the skills and the knowledge that I needed to be able to do this successfully.
Now, fast forward some time and with the help of my managers and my mentors and my advisor, I eventually learned that with PCI you have the option of establishing scope. If you can segment your environment in a way where cardholder information is only flowing in a portion of your environment, in a portion of a company network, then the PCI requirements would only apply to that segment. When that finally clicked, like “Oh man I can actually do that. I can actually set things up so that PCI just applies to a portion of the environment,” I felt a relief. I felt a weight lifted off of my shoulders because before I was thinking we have to figure this out for all of these systems. I then realized that we can actually just make a couple of adjustments and our PCI compliance program can really just apply to a small portion of the environment.
When I learned that, it felt like it was a problem that I was able to solve and I could actually see the finish line. I could actually see the light at the end of the tunnel. The reason that I’m sharing this story is because the same way that PCI allows you to minimize scope for PCI compliance, you can have a very targeted focus for where and what GDPR applies to. So, one of the takeaways with this episode is that GDPR does not have to have a trickle down effect to all of your IT systems, to all of your company’s network to all of the machines. It can be focused.
The way that you can focus that is by first understanding out of all of the data that your organization holds, what is the data that you hold that is considered to be personal data on your GDPR? By starting to answer that question, you can start to set up boundaries for that scope. What that means is your GDPR compliance program can be much smaller, can require less resources, less time, less effort because you’ve went through the exercise of determining what personal data does my organization hold? Where does it sit and how is it used? So, we’re going to be taking a deeper dive there and we’re going to be talking about the two categories that are addressed as part of GDPR. So, GDPR applies to two different types of data.
The first one is personal data. The second type would be special categories of personal data. So, there’s a distinction because special categories of personal data, there’s is some heightened sense of sensitivity for this data. So, by breaking out personal data into these two categories, if there are any special categories of personal data that your organization holds, there are additional requirements that you have to comply with. So, first we’re going to give some examples of what kind of data points would be classified as personal data and then we’ll do the same for special categories for personal data.
All right. So, what would be considered to be personal data? So, off the bat those would be things like names, identification numbers, email addresses, home addresses, location information, and online identifiers such as an IP address. So, these are all pieces of information that can point to an individual person. Let’s see. Is there something else that I would say about that? I would say that at the end of the day, the majority of organizations these days are just by default are collecting email information and I would argue that if you’re collecting that, then yes, GDPR does apply to your organization and it makes sense for you to continue to do more due diligence so that you can get in on the path to compliance.
All right. So, we gave some examples of what would be classified as personal data. I think it’s also important to point out that this applies to people that live in the EU or that are residents in the EU. So, your organization might be collecting information about people. This can be customers, this can be prospects, this can be employees, these can be contractors and it’s very well possible that GDPR only applies to one portion of personal data that your organization holds. So, it’s very possible for an organization to be holding personal information about EU citizens and residents because that applies to customers that they have.
So, it’s possible that GDPR efforts for that organization is only concentrated to the customers. You may not have to worry about the employees because maybe the employees that your organization has, they do not live in the EU or they are not from the EU. So, I just want you to keep that in mind. You may be holding information for different types of people, but for GDPR, the focus should be on people that either live or are from the EU. All right. Now, let’s talk about the next classification. So, the next classification is special categories of personal data. So, these would be things like information that reveals racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, health information that includes things like genetic information or biometric data, trade union membership and sex life or sexual orientation.
If your organization holds any of this type of data, then this would be classified as special categories of personal data. Again, this applies to the people that either live in the EU or that are from the EU. It’s also important to note that there’s a third category. I wouldn’t say that it’s a category per say, but under GDPR, if your organization holds information about criminal convictions and offenses, you do have to pay special care and attention around that information. All right. So, I want to cover two examples that I hope will make it clear for you to see why it’s important to create an inventory of data that you hold about people. Data that your organization holds about people and classifying it as either personal data, special categories of personal data or non applicable.
So, the first example is going to be with the right to be forgotten. So, GDPR provides individuals with a number of different rights. One of those rights is the right to be forgotten. If I am an EU resident or I am from the EU and your organization holds personal information about me, I have the right to ask you to delete that personal information about me. If you have gone through that exercise of making a list of this is all the personal data that we hold about you then you have established scope. If I come to your organization with that request and it’s a valid request, then it’s clear cut what pieces of information you have to delete as part of fulfilling that responsibility.
Many organizations are incorrectly interpreting this as if I say I want you to delete my personal information, that the organization is somehow obligated to delete everything, all data that is related to you. Now, this is misinformation. I would say that as an organization, you have that option. If you have a history of communications, if you have a history of transactions or orders that a customer has with you, you have the option of also deleting that information when you’re fulfilling a right to be forgotten request. But GDPR doesn’t require you to do that. GDPR requires that you delete personal data of that individual. So, it’s very possible that you hold personal data about the individual. You have additional information with that customer, with that prospect, you would only have to delete the personal information.
You don’t have to delete the other information that is tied with that person. I think that this is important because when organizations learn that they have to delete anything, they usually freak out. They usually freak out because they don’t know what kind of consequences that will bring. If I delete these database records, is that going to mess things up? In many organizations and IT teams that I’ve worked with, when you bring that up as a request, there’s usually hesitation because we just don’t know what kind of trickle effect that will have. So, by focusing in on making a list of what personal data is protected under GDPR for your organization, when you are fulfilling these right to be forgotten requests, you know exactly what you have to delete and you don’t even have to think about or worry about what other piece of information do I have to delete?
All right. Let me cover another example. The right to access. The right to access is another right that GDPR affords. So, SAR is a common acronym that is being used. So a SAR is a subject access request. So you may be familiar with that term, a SAR, S-A-R, SAR, but if I am a customer and I am saying, “Hey I want to know what are all the information that you hold about me?” You as the organization when you’re processing that request, you are only obligated to provide with the personal data that you hold about that person. So, going back to the first example where you may have information about a person and you may have additional information that is linked with that person, communications, transactions, a history of the orders or the purchases that they have made, if I exercise that right and I want you to provide me with a list of all the information that you hold about me, you as the organization are only required to produce a file that shows this is all the personal data that our organization holds about you.
Now you have the option of including additional information. That is an option that you have, but your obligation, your minimum requirement is to share what personal data you hold about the individual. So, going full circle here, if you have gone through the exercise of determining for what personal data do I hold, for that chunk determining for what type of data am I holding personal data of EU residents or EU citizens and then you are able to produce of this is all the personal data that I hold about these individuals. Then you can establish scope
The way that you organize this is in a GDPR data inventory. At the end of this episode, I will provide you with a resource that can help you with that, but it’s basically an inventory where you make a list of the personal data that you hold about EU citizens or EU residents and by creating that inventory, you have a well established scope so that when you are fulfilling your other GDPR obligations, the right to be forgotten, the right to access, the right to limit processing, you know exactly what you need to focus on and I think that this is a tool that many organizations do not realize that is available to them. There’s lots of information out there that I think has unfortunately made many to believe that GDPR has to apply to all of my systems, my entire organization and that usually leads to frustration.
That usually leads to directing more resources than what is necessary to comply and this is a direction that I like to point my clients to because let’s face it. We all have a limited amount of time, energy and resources. GDPR compliance is probably just one responsibility that you have to fill. By taking the step of articulating the scope of GDPR, what type of personal data does my organization hold? Your journey and helping the organization become GDPR compliant will require less time, less resources, less energy and you are better positioned to have a high quality GDPR compliance plan. Because instead of focusing on everything, you are only focusing on the areas that GDPR applies to.
All right, so I did mention that there is a free resource that I have available. So, we have a free course. It’s called The GDPR Data Inventory Course. So, this is that first step that all organizations should take when they’re starting on their GDPR compliance journey. Now, this is something that you can do yourself. You can pay someone else to do. I would argue that you as a professional, you have all the tools and the resources that you need to complete this first step. Now if you need the extra help and you need someone to do the step for you, you can definitely outsource this. But I would say that most organizations already have the tools and the knowledge that they need to complete this first step.
I would stress that putting together a GDPR data inventory is critical because it’s the only way that you can correctly determine which of the 10 GDPR components apply to your organization. Now all GDPR requirements apply to all organizations. Some organizations will have to do it all, but other organizations will have to do a portion of that. By going through that first step of creating your GDPR data inventory, you are one step further in determining what are the things that GDPR obligates me to do?
Okay. How can you access that resource? So you should be able to see a link to that course in the show notes. The other way that you can reach that course is just by going to our website. Gdprstandup.com. If you scroll towards the middle, you should see a button that says, GDPR Data Inventory Course,” or just data inventory course. If you click on the button, you will then be directed to a screen. You provide your email address and then we will email you that free course.
I would encourage you, I would invite you to take that free course. It’s possible that you’ve already started on your journey to GDPR compliance and you’re looking to just do a sanity check that you have fulfilled all of your requirements. So, that is one free way of doing that sanity check. You may also have paid someone else to do that and you want to validate that what they told you is actually true. So, you can leverage my course to determine that. Again, you as a professional, as long as you have documentation skills, as long as you have the ability to gather information and ask questions and plug that in to the template, you are very much equipped to be able to put that GDPR data inventory for your organization.
All right. So that concludes our session for today. Thank you for checking us out and we’ll see you on a future one. Goodbye.
Hey there. Wait. Before you close out the episode, I want to quickly share. I recently started a virtual community to help professionals like you on your journey with GDPR compliance. Now, when I got started with the cybersecurity space, I found myself doing lots of reading, Google searches and trying to find information. I often times had to do a lot of investigation before I was able to figure out what’s my next step or how do I address this problem that I’m facing. I want to provide you the resource that I wish I had as I was learning this. If this sounds interesting, I invite you to learn more about this virtual community.
You can do that by going to our website gdprstandup.com and clicking on the button that says click to join our virtual community. Thank you very much.
Helpful links and resources:
- GDPR Stand Up Website: gdprstandup.com
- The 10 GDPR Components
- The GDPR Implementation Blueprint
- Join the GDPR Stand Up Virtual Community
- Free GDPR Data Inventory Course: http://gdprstandup.com/free-course/