There seems to be a light at the end of the tunnel for organizations previously exporting personal information from the EU to the US under Safe Harbor, the EU-US Privacy Shield. Unfortunately the details of Privacy Shield are not yet available, so what is a privacy officer to do to prepare for utilizing the new agreement?
Whatever Privacy Shield requires of organizations, it is a sure bet that you will need to know what EU personal data you are collecting and exporting to the US. You will also need to know how it is protected, processed, shared, and destroyed. This information will allow you to make the determination of whether your organization will be Privacy Shield compliant or if some remediation is required.
How is a data inventory established?
The process of creating a data inventory can be tedious and time consuming, If your organization does not have one, there are various approaches to collecting the information.
One method is to create a survey to ask process and application owners about the data they use. The data owners will come from various parts of your organization. Each will have their own frame of reference, so they will all interpret the questions in the survey a bit differently. For example, consider asking the question “where is the data stored?” of a business department manager and an IT manager. One will say “in a database” while the other might respond with a table name in the database or a server name.
To address this, the person or group coordinating the inventory will need to be readily and preemptively available to those filling out the survey. Interim check-ins with the respondents to review their survey responses will improve the quality and uniformity of the responses.
The most common data inventory survey answer: “I don’t know”
A difficulty that a survey approach must overcome is that the depth of knowledge that is required of the respondents. You are trying to get a wide variety of characteristics about the data items that a single person may not have. A business manager, for example, will generally not know much about data storage, protections, or sharing. These folks know the applications meet their processing needs and rely on other organizations for storage and protections . Similarly, and IT person may not know why the data is collected or what roles access the information, that is a business concern.
Legacy applications present another concern. The knowledge of how a business process or application works often has walked out the door with a departing employee even if documentation is up-to-date.
So, the most common answer to a survey question may easily turn out to be “I don’t know”. This will require the group managing the survey process to encourage respondents to reach out to other groups or individuals. Alternatively, a follow-up with face-to-face meetings to gather the information may be done by the coordinating group.
Keeping the data inventory up-to-date
Reviewing the survey information and placing it a format that is useful is discussion left for another day. However, once the inventory is created, it is vital that it be kept current.
To keep the information current simply send the inventory information you have collected to each data owner on a quarterly basis requesting them to provide updates.
Using the inventory
Data inventories can certainly be used for compliance decisions such as will be needed with the Privacy Shield. The inventories can be also be used to support other decisions such as those made if (when?) a data breach occurs.