Generating a data map and inventorying personal data for data knowledge are at the top of the to-do list for companies aiming to meet the EU General Data Protection Regulation (GDPR) requirements. Data knowledge is essential for verifying compliant data collection and processing.
Some vendors promise to make privacy compliance easier by streamlining email survey-taking of stakeholders to figure out an organization’s inventory of data assets. By providing a set of questionnaire templates using legal language, they promise easier information gathering for Privacy Impact Assessments and related compliance problems. However, most people struggle to interpret legal questions and relying on recollections to find data is by definition unreliable.
But how do you achieve accurate data knowledge when you start with inaccurate data surveys? If the primary aim of GDPR is data protection, can you protect your data if you don’t have reliable knowledge of where it is? Probably not… Let’s look at some of the reasons:
Surveys lack accuracy:
Surveys rely on people interpreting and recollecting. People are fallible and imprecise at the best of times, but when it comes to memorializing the inventory, location, and use of data, they are the opposite of data-driven record keepers. People just cannot “verify” anything to do with where data is collected, stored or processed without a data audit. And, a data audit requires a scan, not a survey.
Surveys can’t capture change:
They say that data is the new oil. And while that metaphor is certainly true when it comes to value and how data powers the modern Internet economy, it’s also true when it comes to how it seeps and flows. Data is not static. It moves, gets aggregated, transformed, shared and analyzed. When it comes to data, change is the only constant. Unfortunately, no person can ever provide a full accounting of how data changes without first interrogating the data. A survey without a scan, therefore, can never fully capture the changes in how data is collected and processed.
Surveys go uncompleted:
Besides lacking data fidelity, surveys also depend on their takers being responsive and motivated. Poor or incomplete input is a problem for any survey-based approach. But no input is even worse. People have day jobs, and filling out surveys that use opaque, legal terms with no direct benefit is likely to be low on their list of priorities. Data privacy may be a corporate concern, but reporting on data may not be every employee’s concern.
Surveys take a long time:
Compiling a data map via surveys, even assuming the best case outcome that they are representative, can easily stretch from weeks into months. Shepherding multiple stakeholders through a survey process is often not resource efficient and is unlikely to produce up-to-date output. While demonstrating to regulators that an initiative is in place may keep them at bay initially, they won’t hold off if progress in assembling a data flow map is lagging that of the company’s peers.
Surveys can’t satisfy personal data rights:
A survey-based data inventory lacks the specific detail to answer the basic question posed by privacy mandates: where does an organization have data on every customer or employee? If the data map is disconnected from data processing activities, it can’t serve as a roadmap for IT and security to generate a data subject access request (DSAR), nor respond to modification or deletion changes. Having a process workflow in place for DSARs doesn’t change the burden on IT to go through manual steps and build custom queries for DSARs, even as the clock ticks down to respond.
So if a survey can’t accurately account for how data is collected or processed, what is it good for? If the goal of the survey is to genuinely protect personal data, then the most direct answer is probably not much. Data maps and inventories generated from a survey can provide input for a privacy impact assessment, but the fidelity of that assessment will always remain questionable.
Surveys will never be superior to scans for accurate and effective personal data protection and privacy. Accounting for data requires data accounting. That requires a way of generating accurate inventories and maps using auditable data scans. If the goal of GDPR compliance is to protect data and enforce privacy, then it will have to rooted in accurate data knowledge – and in that arena, a survey can’t hold a candle to a scan.