GDPR: taking the long-term view

I was recently invited to be part of a panel at an event in London organized by Simmons & Simmons, a leading global law firm.

The theme was data protection and privacy, so naturally GDPR compliance was a hot topic amongst the 150 invited Simmons & Simmons clients that included Corporate Lawyers and General Counsels from major corporations across industries ranging from Financial Services to Technology, Media and Telecommunications.

The panel brought together up and coming technology vendors with advanced data protection and security solutions. We looked to address specific challenges - from how to uncover and classify personal information across the enterprise, to finding solutions to protect corporations against the inadvertent disclosure of confidential or personal information through employee emails.

Most speakers focused on the challenges of preparing for the May 25 deadline for GDPR compliance. This is a vital activity, but the thrust of my contribution was to also get the audience to take a longer-term view of their privacy obligations; in particular, around digital information and records containing personal information (e.g. HR records) that need to be kept for decades.

The GDPR regulation has specific articles that describe the obligations and requirements for data controllers, meaning organisations need to choose systems and data processing partners carefully to ensure they can meet these obligations. As well as ensuring digital records can actually be used and read by future applications, this includes having robust technology that provides search and classification, controlled access, audit trails, and trusted deletion.

An interesting point emerged during the panel’s discussions. A frequently mentioned requirement of GDPR is the “Right to Be Forgotten” – but as a counterpoint to this we debated a corporation’s “Responsibility to Remember”. This is the responsibility to know that you are holding personal information and where it lives, but also the duty to retain critical digital information perhaps for decades - all in order to unlock value and meet compliance, regulation and legal obligations.

GDPR will be hotly debated and discussed in the run-up to May 25 next year. Make sure you also take a long-term view and consider how to ensure privacy compliance for critical information and records that need to be kept for years to come.