Personal Data is at the very heart of GDPR but often we overlook that it exists in both digital and physical forms. And when it comes to physical data, it must be in a form that is fileable so that it can be searched, such as in an ordered filing cabinet, a Rolodex, a ledger or microfiche. So that means all your random Post-It notes and whiteboard scribblings are out of the scope of GDPR compliance requirements.
But as with most things, it’s not quite as simple as that, since the physical world creates some problems with regards to protecting data and supporting our rights as Europeans.
The right to erasure is an area that has significant problems with physical assets, and these could be both digital and physical in nature. Here’s an example. A company keeps all its data inside a CRM system on a single server and keeps a backup of the whole server on an external hard disk. The backup is an encrypted archive of the whole server, integrity protected to be an immutable snapshot of the server at that point in time. This backup is great for security, helping to provide availability of the company’s CRM system in case of a disaster, and free from being accidentally edited. But we have a physical device storing digital data. And this creates some problems.
Firstly, how do we protect the device itself as we would a file on a computer? Where do we store it? How do we keep it safe from fire, water and theft? How do we keep it geographically close enough to remain useful but far enough to be safe from a physical disaster? How do we keep it away from the password that would decrypt it? Who has access to it? Has someone made a copy of it? How would we know?
Secondly, when someone requires some data to be removed from the CRM as part of their right to erasure (or simply via retention policy), it is simple to do this on the live CRM, but how would we edit the backup copy? The backup is immutable, i.e. it can’t be edited by design. If we restore the disk to another server and edit in on the live system, we would have to then perform a backup of that new system and be left with a new snapshot that doesn’t reflect our actual live environment.
Even simple physical assets can be a challenge. It is not uncommon for older organisations to have a locked room full of boxes of microfiche just sitting there waiting for a resurrection into service. Few people would know how to find any data in there, let alone have any chance of editing it, deleting it or protecting it.
As concerning as this sounds, the simplest solution is to go back to square one and ask, “Why?”
“Why do we need to keep this file?”
“Why do we need to keep this passport photo of this ex-employee?”
Often the answer is, “Good point, we don’t need it, let’s just get rid of it.”
By taking a long hard look at your physical assets you’ll find that many can be destroyed or digitised (especially in HR and Finance departments). Even whole system disk or tape backups can be replaced with data level cloud backups which can be edited. And anything that remains will need to be risk assessed to see how best protect it. And this model is what GDPR compliance is all about, whether it be physical or virtual. Understand your data and what you’re doing with it. Don’t have more than you need and give it the suitable level of protection it needs.
Data used to be a thing we wanted to collect by default, hoping it might prove its value at a later date. Now, however, GDPR drives us to reduce the burden of having too much data, instead focusing on maximising its value. It’s important to remember that more data isn’t better. We should have higher quality data and as little as possible.
Keep the data you need because it has value.