The role and challenges of IT department implementing GDPR

Disclaimer... or warning

This exact example is purely fictional, however, any resemblance with people, attitudes, issues or organizations are neither intended nor coincidental but inevitable (disclaimer inspired by Heinrich B?ll )

Older overlooked issues, but problematic for GDPR compliance

For all IT systems, it’s a truism that both technical documentation and a user manual are a minimum requirement. The problem is that, even when these do exists (and are updated) nobody reads them anyway, like any other IT procedure, although they all swear they read it from cover to cover.

How can you expect someone to read IT procedures on using personal computers or even smartphones, or God forbid - email usage or browsing the Internet? Well, at home even the little one knows how to work on the computer and surf the net.

Another common practice for the Romanian management is self- exempt from any rule. After all, how to pretend management to use a complex password.... and change it every 90 days? Or, another stupid rule, that you cannot see movies online or download games on your work computer... for your kids?

It doesn’t matter that, much of the time IT solves issues that should have never occurred anyway and treat "exceptions"…  which end being the rule.

Let’s see what we can do from a technical standpoint to prevent issues, or at least to monitor the proper functioning of equipment and IT systems. Well, it costs money. And those that do not cost a lot, need more time / more people to be configured and used. 

Money again???

Didn’t we give you money for servers?

It was a several years ago?

Do we need other Licenses, support?

Why, that's why we have internal IT, why we pay your paychecks?

However, IT does not only work with its own rules. There are needs and processes that others define, IT being just a wheel in a greater mechanism. 

To simplify the problem, let’s suppose these processes were analyzed, agreed and correctly defined. Let us take as an example a new hire or departures from the organization. What problems could IT have here? That "sometimes" IT is not notified about it? That  management ask why new employee does not have a computer or access to applications? Did not anyone ask? When IT asks what rights should they have in the IT systems, the usual answer is:

The ones he needs

On departure, IT doesn’t automatically delete all the accounts and rights it has ... besides what may be needed and no one else has it?

It doesn’t? Why?

 Let's say that the problems we have just reported are solved. Currently nothing goes wrong, a balance is achieved between theory and practice, between expectations and possibilities and business and IT are running smoothly.

A new challenge - GDPR

Hearing about the imminent entry into force of GDPR site, analyzed the operative situation the IT has been identified as the main responsible for its implementation ... After all, who knows more about data?  They will benefit from the unconditional support of the legal department and they assured about firm management commitment. If they are very "lucky" they also benefit from the assistance of a consulting firm.

All they have to do is identify the personal data, the place where they live, multiply and die, and document their lives. What’s so complicated here?

Reading the GDPR (on their own, on their time, of course) IT finds out that the concept of personal data is not what they believed, the data from HR, but these are well hidden (or not so hidden) in all their systems, servers, even routers, configuration files, not to mention logs. That any user ID associated with a computer or business email addresses are personal data, too. As a bonus, any electronic document created in the organization, even empty, contains personal data in the Metadata. And about content of email it's useless to talk. Any email could contain personal data.

How could they tell management it would be much easier to document where there is NO personal data? They tried to look all over the network for the name or an ID associated to the former admin appearances, but did they get bored after first ten full screens...

Okay, after a clarifying discussion it was decided to limit the documentation to the most obvious. Said and done. IT worked after hours, digs data and documents the main types of data and processing, and also helps other departments, for which mapping of specific data and processing in an excel is a very hard thing ...

Not surprisingly, anyway most departments (including legal and HR) have more important things to do, somebody has to assure business is running.

Meanwhile, IT still finds it is necessary to discuss with all equipment, solutions and service vendors to update contracts with specific data protection clauses (which will be received from the legal department… sometimes in the future).

The “solution”

As a recognition of the quality work of IT, all other departments have expressed their full confidence in their IT capabilities, and they only ask for a little supplementary help: In all IT systems, they need one, two small buttons (sometimes they can be five), one that extract all the personal data for a user (depending on any search criteria) and one which deletes them. There are a few alternatives, but they are not urgent.... maybe they’ll clarify the requirements next week.

For those internally developed there should be no problem, right?

It is??? What do you mean the developer has left the organization and applications are not documented? 

Well, why are not they documented? 

But we’re confident it will be easy for you to understand them anyway.

One week it’s enough No? Okay, two weeks…

Btw, do not forget to make a file, a page on the Intranet ... you know, where you’ll register all the requests from customers, former employees, partners, how they were treated and when you submitted their personal data

And I almost forgot, I received from a consultant a list of IT procedures that you need to implement and train the staff. Something with security, incidents, back-ups ... Maybe they need two or three minor changes. 

What do we mean we have them? Why did not you mention?

Nobody asked you?

Anyway, we know you can manage all this stuff, as you always did.

And they did, and everyone lived happily, and management has also given a bonus to solve a tricky problem ...

Note: This article was initially published in Romanian in Catalog Cloud Computing, editia a 9a, GDPR Catalog, editia a 3a - page 52-54.

Specials thanks to Radu Crahmaliuc