Adrift on a sea of data: Architecting for GDPR I’ve spent many hundreds of hours listening to sales pitches from technology vendors but it’s only during the last year I’ve started to find them rather depressing. That’s been thanks to the arrival in 2018 of the European Union’s General Data Protection Regulation. For example, I was recently pitched to about one particular …
"Architecting" is such a horrible word. Architects design. This is what they do. Journalists don't journalist, they report, write, investigate. Editors don't editor articles, they edit them and so on. I'm sure that dictionaries may list "architect" as a verb but they are just doing the English language a disservice.
Down with this sort of thing!
I'm having to put processes in place and I see it as a plan for regular scrubbing out at the back of cupboards ('whose data is this? It's got mold all over it and if nobody claims it I'm throwing it away') and politeness: 'Hi, we hold this info about you; are you still cool that we keep hold of it?'
It's also like being a good date: be clean, be clear, and keep checking that she still likes it.
"By defining rigid data retention policies and destroying data when the policy says you should."
Even before you get to data retention you should only collect the data you actually require. This may be rather less than manglement, particularly marketing, insist they want.
In fact, a good place to start would be by taking away all marketing's toys: their PCs, mobiles, network shares or whatever and only give them back after auditing for PII that shouldn't be there. Also, take away their budget and only give it back to them as required for projects signed off by your data protection compliance officer. Because marketing's culture is almost certainly antithetical to that you're trying to build.
That's one solution, and likely a highly effective one because once you've taken away your organisation's ability to sell it'll go bust quickly.
Why do IT people seem to regard business as a war between IT and everyone else? What's wrong with working together?
I had a highly productive meeting with one of our Marketing Directors yesterday. Her response was "we know we're not good, we'd like to change please help us, by the way here's a third party we use can you help us make them compliant too."
Dr Syntax, I too am replying to say that Marketing are avid for information because information = leads = sales. I work closely with Marketing and Comms and they are expected to reach targets. What you need to give them is safe, easy ways for them to do what they need to do. I would rather my team didn't source their own suppliers, and so to stop every little vendor from getting hrough the door, I am proactive, I find out where the pain is or is likely to be, and I give them solutions that are fast and cheap and work. Because they are my customer. It's up to me to make things secure and to meet GDPR even when they can't be bothered. Otherwise it is like making your customers do one of those irritating captchas at the end of forms: you get them to do your anti-spam for you, because that's easier than ensuring the whole system is safe.
Not that I don't think you are a wonderful person.
Then marketing can't do its job, sales have no leads, your employer makes no money and your problem of driving GDPR compliance is over.
Maybe the better approach is to recognise that Marketing is the engine of the business and the data compliance officer is a business support function - educate and work with Marketing to ensure they understand the regs and can continue to ensure that the business is successful so you have a job.
That's an interesting way to put it. I say to people that they should assume they'll be hacked (e.g. by zero-day ransomware) and hence plan to mitigate the intrusion rather than just design a protection regime. Like the idea of considering PII as a liability in the same context.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
