General Data Protection Regulation: Managing Personal Data

Published On January 27, 2018

Many organizations are hearing a lot about requirements of the General Data Protection Regulation (GDPR) these days. And, for good reason. Obviously, this wide-ranging regulation has significant implications for companies based in the EU. But, according to an October 2017 ARMA Live! session on data governance and the GDPR by global law firm Baker McKenzie, the General Data Protection Regulation impacts many companies outside the EU, as well.

According to ARMA session notes from Frances Chen, a privacy specialist at the law firm, companies outside the EU tend to meet one of two GDPR compliance criteria: 1) The company offers a product or service to EU data subjects, or 2) The company monitors the behavior of EU data subjects (when that behavior occurs in the EU).

According to Chen and her colleagues, gaining an understanding of the concept and applications of the GDPR term “personal data” is crucial. This is fundamental to the success of any GDPR-related compliance or information governance initiatives.

Information governance efforts associated with personal data might clearly define such aspects as how, where and when EU citizens’ personal data is identified, used, shared, retained, stored or removed from a company’s systems. Efforts may also involve the development of a more detailed information map (or data map), which would help organizations more effectively govern their increasing use of regulated digital data.

Getting a clear view of what’s required with the GDPR is not always easy or painless. This is made even more challenging by the sometimes-muddy language used in the regulation itself.

According to a short video with Gavin Siggers, director of professional services at Iron Mountain, this includes the vague language used to describe how long to retain personal data. Phrases like “no longer than is necessary” are a case in point (as excerpted from the Regulation’s “Principles Related to Processing of Personal Data” within Article 5).

In mentioning the need for a data map to help organizations move toward GDPR compliance, Siggers couldn’t help but acknowledge the difficulty they’ll face when it comes to defining how long to retain personal data.

“Whilst GDPR creates a level playing field for privacy regulations across the EU, there is no such level playing field when it comes to how long to keep data,” Siggers said. “The GDPR doesn’t tell you.” Looking to the various statutes and regulations for guidance on data retention may not offer quick answers either, as requirements can vary from months to decades.

Tricky, complex regulations like the GDPR are not easy to decipher alone. Thankfully, expert insights and help are available, as are ARMA Live! sessions like Chen’s. The Baker McKenzie session gave more information on the subject of data governance and the GDPR, its personal data requirements and the specific steps needed to develop a data map.