Many companies hoard their data. But in trying to comply with the strict requirements of GDPR, some organizations have switched to the other extreme: They are now deleting too much data, which could be useful in the future, in order to minimize risk of damaging data breaches.

Yet there are other strategies which might be employed, like the anonymization of personal data which would retain the useful characteristics of the data even when the personally identifiable parts are removed. Another approach might be to automate subject area requests (SAR) which would reduce backlogs.

Here is an excerpt from a report published in MeriYalk:

Whitworth said that organizations could stop forcing themselves in a binary choice of keeping or deleting data through encryption methods in pseudonymization and anonymization. These would “de-risk” and “de-identify” data.

“Maybe you don’t know what you can do at the moment, so maybe encrypting and locking off-site is an option until you’ve got the answer – as long as you can demonstrate to supervisory authorities, if challenged, that you have made it unavailable to processing,” Whitworth said.

Amid the issue of figuring out how to safeguard and use data, organizations are also grappling with how to move from a state of manual compliance with GDPR to operational compliance, Whitworth added. “All too many organizations look at data protection by design and default and only apply it to application development or product development,” he said. “They’re not looking at the whole innovation process.”

For data privacy protection to be interwoven across an enterprise rather than treated as a compliance exercise, automation and orchestration will be essential. Whitworth said that subject access request (SAR), which grants individuals the right to access their personal data, is one area of GDPR enforcement in need of automation, as it will allow people to process SARs automatically and more easily.

Automation and orchestration are also key to mitigating third-party supply chain risk, which Whitman said is also important in developing SAR. “Unless you’re doing automation and orchestration, then all you’re doing is saving up a huge manual backlog again,” Whitworth said. “And if you thought it was difficult to deal with a subject access request, think about if you’ve got to go down to your third, fourth, fifth parties in your supply chain to assure … a third supervisory authority that you’re doing the right thing.”