The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. In the race to create documents to show they were in compliance, many companies inadvertently created documents that actually show that they are out of compliance. The net result, is that instead of reducing liability, they have increased it.
Bryan Cave Leighton Paisner is publishing a multi-part series focused on what companies should be doing now that the GDPR is here. This installment focuses on data inventories.
What is a data inventory?
Article 30 of the GDPR requires that most companies “maintain a record” of their processing activities. For controllers that record should include the following information for each piece of personal data processed:
An explanation concerning the purpose of the processing;
- A description of the categories of data subjects involved;
- A description of the categories of personal data involved;
- A description of the categories of recipients who receive the data;
- A description of the countries outside the European Economic Area (if any) where the data is sent and the adequacy measures discussed to facilitate the transfer;
- The time period before which the data is anticipated to be erased; and
- A description of the security applied to the data.
In the lead up to the GDPR many organizations rushed to create data inventories in-house by using forms and templates supplied by law firms or supervisory authorities, or retained consultants to come in and complete a data inventory on their behalf.
Why are data inventories dangerous?
Herein lies the problem. Companies are required to “make the record [of their processing] available to the supervisory authority on request.” That means that if a supervisory authority investigates your organization the data inventory will more than likely be the first thing that they request.
The following is a case study of a multi-national organization that retained a well-reputed consulting company to conduct a data inventory and to create the documentation required by Article 30. The consulting firm leveraged technology to interview hundreds of individuals (e.g., online surveys) and then created a complex data inventory for the organization. The overall cost approached $100k.
At the end of the project, the organization requested that BCLP evaluate the data inventory as part of a holistic GDPR gap assessment. Our evaluation found that the descriptions for 80% of the systems that were inventoried were either inaccurate (at best) or documentation of per se legal violations (at worst). Indeed, had the inventory been produced to a supervisory authority they would have identified what appeared to be at least ten systemic violations of the GDPR that crossed dozens of data systems. The tragedy was that the organization’s actual data practices – if correctly described and correctly documented – did not violate the GDPR. The only violations were the ones that the data inventory created.
While the errors or issues created in the inventory are too many to list, the following is part 2 of a three-part case study that describes some of the main problems that the inventory – if it were ever seen by a regulator – would have created:
Part 2: Listing Performance of a Contract as a Legitimate Purpose.
The consulting company had listed “performance of a contract” as the permissible purpose in 56% of the data systems that were described – including B2B billing systems, direct marketing systems, online marketing systems, etc. This created many problems.
First, the performance of a contract can only form a lawful basis for processing personal data if the contract is one that the data subject (i.e., the person whose information has been collected) is a party. In this particular situation almost none of the data related to situations in which a contract actually existed. For example, there was no “contract” to send direct marketing to prospective consumers, an there was no “contract” to conduct online behavioral advertising.
Second, where a contract did exist it was typically with a business that the data subject worked for. For example, a contract might exist with supplier A, and the information that was being collected was supplier A’s billing coordinator, relationship manager, administrative assistant, etc. In none of these cases could a plausible argument be made that the information was necessary for the performance of a contract with the person whose information had been collected.