MAXIMIZING DATA UTILITY UNDER GDPR

DATA INVENTORY , DATA INVENTORY MANAGER , DATA MAPPING ,

EU GDPR , GDPR , HILARY W ANDALL , PRIVACY

By Hilary Wandall (General Counsel & Chief Data Governance Officer, TRUSTe)

Trying to solve a problem, determine the optimal course of action or make a critical decision in the
absence of meaningful data not only is frustrating it can yield undesirable outcomes. Its like driving
without a map or hiking without a compass, let alone precise GPS. Or, like trying to communicate with
a friend, whose last name you dont remember how to spell, without a phone number, email address
or Twitter handle.

In recent years, many business leaders have realized that connected devices, systems and sensors are
generating more and more data that can be invaluable to making better business decisions. Yet, they
still are deciphering how best to leverage all of the data to drive better business decisions. With
impending compliance obligations under the GDPR, they may forfeit those data opportunities if they
dont implement solutions that enable ongoing authorized use of those data.

Last month, I blogged that privacy leaders can be business enablers by supporting the business in
maximizing net data value in two key ways: (1) partnering with other data leaders in the organization
to establish an integrated approach to data governance that enables data benefit and risks to be
evaluated in a holistic way, and (2) driving consistent evaluation of the value and costs associated with
the acquisition, storage, use and re-use of data.
This month, Mike Hintze and Gary LaFever published a white paper, Meeting Upcoming GDPR
Requirements While Maximizing the Full Value of Data Analytics in which they tackle the new frontier
of data protection by default under Article 25 of the GDPR. The concept of data protection by default
permeates the regulation and expands upon traditional notions of data minimization or minimum
necessary data to prescribe subject to fines up to 4% of global revenue implementation of technical
and organizational mechanisms for ensuring that only the specific personal data necessary for each
specific processing purpose whether collection, scope of use, length of storage, or accessibility
actually are processed. Hintze and LaFever present a compelling case for companies to proactively
implement a robust technical approach to the GDPRs data protection by default requirements in order
to both maximize data value and minimize compliance risk and liability.

As privacy professionals, we spend countless hours with business teams identifying and classifying data
elements, determining the processing purposes and the legal basis for any proposed processing,
evaluating data retention periods and proposed data transfers. We create data inventories and data
flow maps in order to determine whether data minimization, proportionality and onward transfer
requirements are met. We are startled when the hours fly by and our analyses are ongoing, and we
recognize that the only way we can support goals like maximizing net data value is to rely on
technology to scale our work, make it more efficient and ultimately, more effective. With GDPRs data
protection by default requirements in just 15 months, we can no longer put off plans to implement
new technology to help us comply.

Fortunately, Hintze and LaFever present solutions based on a concept of controlled linkability that
refines data so that it can be used for a range of purposes while preserving privacy and protecting the
data from unauthorized processing. Controlled linkability thus facilitates extraction of the full value of
data, enabling both GDPR and other regulatory compliance as well broad data utilization. In order for
businesses to preserve and enhance the value of their data beyond the next 15 months, however, the
time to plan for effective implementation of these technology solutions is NOW.

Since so many businesses rely on big data analytics, as increasingly artificial intelligence, to fuel
innovation and growth, it has become essential to know how to ensure compliance in a way that allows
your data assets to be utilized. Hintze and LaFever are sharing about their approach today in an IAPP
webinar on Unlocking Big Data Value Under the GDPR featuring Gwendal Le Grand, the Director of
Technology and Innovation of La Commission Nationale de lInformatique et des Liberts (CNIL). You
can learn more at www.anonos.com/bigprivacy

PRIVACY MANAGEMENT SOLUTIONS

CONTACT US US: 888.878.7830 EU: +44 (0)203 078 6495 | www.truste.com TRUSTe Inc., 2017