Working as one: how to break down company silos

Over the past year and a half, many far-reaching consequences have resulted from the pandemic, forcing businesses of all sizes and sectors to face a series of new and evolving challenges. 

One of these major effects of COVID-19 has been the huge rise in customer demand for digital innovation. According to recent studies by Salesforce and Hubspot, following the pandemic, 89% of customers expect businesses to accelerate their digital initiatives, and 69% expect organisations to transform their services or products into new digital formats. 

For those of us who worked (and lived) remotely for the majority of 2020-2021, these stats come as no surprise. Over the course of lockdown, there was a sharp rise in the number of new business platforms we adopted, delivery subscriptions we signed up to, and Amazon packages we ordered.

This rush towards digital innovation has inevitably led to an exponential surge of data for companies that aren’t necessarily used to handling it. As new software and services generate more and more customer information, companies are having to learn to process an ever-increasing amount of personal data.

With data pouring into organisations from a growing number of communication touchpoints and needing to be processed by various internal departments, many businesses are finding themselves dealing with an escalating internal challenge: data silos. 

Below, we take a closer look at the problem of data silos and examine why they’re a particularly troublesome issue for GDPR. We’ll also look at some key steps your company can take to overcome silo mentality and work more strategically as a unified and compliant organisation.

What is a data silo?

A data silo refers to a collection of data that is held in isolation by an employee or department. This information is either inaccessible or hard to access for other members of staff, with the data owner being either unable or unwilling to share their data and knowledge.   

There are a number of reasons data silos occur, but perhaps the most common cause is organisational silos, where a business is divided into departmental factions (e.g. Finance, HR, Product Development and Marketing).

Each of these departments has its own targets, goals, and technologies, as well as processes for managing data. These factors combine and result in data being organised into disparate, internal silos rather than into a centralised, unified source or data hub. 

Why are data silos dangerous for GDPR?

For any organisation, data silos pose issues for productivity and performance as they commonly result in information that is duplicated, outdated and incorrect. Companies are also unable to get a holistic view of their data, so deep insights are often missed, limiting opportunities for innovation and efficiency. 

This lack of oversight for enterprise-wide data is particularly problematic when it comes to GDPR and compliance. 

When information is stored in different locations and databases, those who are GDPR responsible are unable to quickly or easily identify issues such as outdated data, the misplacement of sensitive data, or risky third-party activity.

If different offices, departments, or individuals follow their own data steps and practices, there’s also a much greater risk of information and files being mishandled due to human error or compromised by external security breaches.  

Manually assessing the risk of individual departments and their systems is also incredibly time-consuming, which in today’s data-driven environments is likely to result in the inability to keep up with growing amounts of data. 

Another compliance concern is that if data is scattered throughout an organisation and hard to locate, incoming subject right requests (SRRs) become problematic, taking employees longer to retrieve information and address concerns with the allocated GDPR timeframe.  

Overall, companies typically end up being reactive to compliance issues rather than proactive in the safeguarding of company information and client relations. This more reactive approach is also a sign a business isn’t aligned on internal strategy or expectations, both of which expose an organisation to further risk. 

How can businesses overcome silos?

While silo management will depend on how divided your company is across departmental lines and the state of your data operations, there are a few universal strategies that can help breakdown divisions and move your team towards a more united approach to business data.

1. Unify departments with a shared vision

If internal departments have no common goals that unite them with colleagues from other divisions, they’ll continue to either compete against each other or operate as isolated entities individually focused on their own specific targets and processes. 

This tunnel vision behaviour will then have a knock-on effect on the flow and management of data, limiting collaboration and deepening silos. 

The first step in breaking down organisational silos is to set up a universal vision that applies to all departments and champions free-flowing data.

Aligning internal divisions with a shared purpose upheld by objectives and projects ensures that colleagues will start working together, helping foster a collaborative rather than competitive environment. 

Highlighting the mutual benefits that each department will experience as a result of this new united vision will be key in incentivising employees to move out of a “my department” attitude to an “our company” mentality. 

2. Incentivize change

While outlining the benefits of cross-departmental collaboration may persuade some colleagues to start breaking down data silos, some cases may require more direct motivational strategies to implement your vision. 

Setting data-sharing KPIs to individual job roles will root your company vision into the day-to-day activities, and also assign accountability at all levels. 

Where possible, consider supporting these KPIs with incentives, whether rewards, bonuses, positive feedback, or favourable performance reviews, to ensure data-sharing becomes a task people want to do rather than are forced to do. 

3. Standardize enterprise-wide data processes

With internal departments running their own campaigns, technologies, and communication channels, data will be flooding into your organisation from a large number of different sources. 

If every department – and often every employee – is handling this incoming data based on personal preferences, inconsistencies will soon arise, and it will become harder to identify both opportunities and risks hidden in your information. 

To avoid this, work with all department leads to find out where data formatting and processes can be standardised so you can streamline your operations and avoid any duplication of tasks or information. 

For example, Marketing may be labelling a customer’s preferences under one title, whereas Sales are filing it under another, meaning this dataset doesn’t get pulled into a research audit for an important project, or that data is updated in one department and left outdated (and potentially risky) in another. 

Throughout this process, departments must maintain constant communication and update each other on current and existing projects and software so that developments which could benefit others are not missed. 

4. Invest in data mapping technologies

While digital innovation will look different from company to company, any phase of digital transformation will inevitably lead to a greater number of platforms and a subsequent rise in the volume of inbound personal data. 

Data mapping technologies enable companies to have greater control over their growing databases by providing a clear overview of how data flows across their organisation. 

Rather than wasting time hunting down files by clicking in and out of folders or manually requesting information from colleagues, employees are able to use these automated tools to get instant access to all the information they need. 

With just a few clicks, they can find out where a file is, when it was imported, who has interacted with it, which systems have processed it, and whether or not it poses any risk or opportunity for the company. 

By using one system to collect data from varying departments, a company experiences less disruption as data flows efficiently into one source rather than back and forth between colleagues.

In addition to reducing unnecessary communication between staff, businesses can leave communication between highly advanced business areas and the organisation to the vendor. With managers free from answering the same, repetitive questions, they have more time to focus on the more advanced and challenging aspects of GDPR. 

Employees can rest assured that everyone is working on the same data, with data mapping eliminating issues such as duplicate datasets or the wrong formatting or labelling of information. 

Offering one centralised location for company data also gives businesses an interconnected and strong foundation for data storage, laying the groundwork for advanced automation to accelerate digital transformation across a company’s multiple departments and offices. 

To find out more about Complyon’s data mapping solutions and how our platform and consultants can help you address everything from data silos to third party risk management, you can get in touch with our team today.

The right to erasure: when to delete personal data

On May 25th 2018, after years of anticipation, GDPR firmly landed on the data and privacy scene and set about revolutionizing our data-heavy lives. 

At the heart of these new legislations and regulations was the promise that regular individuals would have more control over personal information handled by organisations, allowing people to better manage who has access to their data and how it is used. 

Article 17, the right to erasure, plays a key role in upholding this fundamental GDPR purpose. Under the article, which is also known as ‘the right to forget’, individuals are able to request that an organization deletes their personal information from live and backup systems.

However, with its list of exemptions and easy request processes, this article is anything but clear cut and has caught out many businesses – including Google, who were handed a hefty €7 million fine for their lack of Article 17 compliance in March 2020. 

In the first of our ‘Article spotlight’ series, we break down this potentially costly GDPR legislation and pass on our insider tips for how to be best prepared for an Article 17 request. 

What is the right to erasure?

Outlined in Article 17, the ‘right to erasure’, states that an individual has the right to obtain from the controller (your company) the deletion of their personal data without ‘undue delay’. 

This applies to data scenarios where: 

  • Your business no longer needs the data for the original reason it was collected or used

    e.g. When someone cancels a subscription to your service and you no longer need their online or postal details.
  • Someone withdraws their consent

    e.g. After a person has unsubscribed from your company newsletter and they don’t wish to receive this form of communication anymore.

  • An individual objects to your use of their data and there are no legitimate grounds for you to continue to process their data

    e.g. An individual ended their membership with your company but you continued to use their data for internal research.
  • Data has been collected or used unlawfully

    e.g. You sent direct marketing material to a customer who did not opt in to receive communication to their home address.
  • Your organization has a legal obligation in Union or Member State law to delete the data

    e.g. If you work for a bank, you may need to delete information about a customer’s loan or debt once a certain amount of time has passed since receiving the final repayment.
  • Data was collected from a child aged under 16 years old

    e.g. A minor uploads a video to your online platform and later requests that it be taken down. 

When can your company refuse to delete personal data?

There are a few stipulations that can negate someone’s Article 17 request. These exemptions include: 

  • Exercising the right of freedom of expression and information.
  • To comply with a legal obligation where the data subject or processing is carried out in the public’s interest.
  • For reasons of public interest within statistical purposes, or scientific or historical research.
  • For the establishment, exercise, or defense of legal claims.
  • If a request is manifestly unfounded or excessive.

If you decide to refuse an individual their right to erasure, remember to take into account that this is likely to have an impact on your client relation and/or company reputation, so you have to be confident that your counterclaim clearly falls within exemption territory.

You can find more information about exemptions via this helpful ICO guide.

How can someone request for their data to be deleted?

Here’s where the likes of Google have been stung in the past – there is no specified process for making a valid Article 17 request. 

Individuals can submit a request verbally or in writing to anyone or any point of contact in your company. They don’t need to use any particular language or mention ‘Article 17’ or ‘the right to erasure’.

As long as their request adheres to the list of data scenarios above, your company is responsible for ensuring the erasure process is followed through.

What action should a company take when they receive an Article 17 request?

Once a request for deleting personal data is received and recognized as valid, you need to start the process of erasing the specified data from live and backup systems with ‘undue delay’.

From the moment you receive a request, it’s important to let the data subject know the exact processes you’ll be taking and the timeline you’ll be following so they feel confident in and assured by your actions. 

For example, you may be able to delete their data immediately from a live system but unable to access your backup system until a later date.

Make sure you clearly communicate when the data will be deleted and in the meantime, mark this data ‘beyond use’ so it is not used for any additional purposes.

At the very latest, ‘undue delay’ means complying within a month of the request, or within a month of receiving the information you need to confirm an individual is the owner of the data. 

If a request is complex or excessive, you’re entitled to a couple of extra months to make sure the data is deleted. In this instance, you may also be eligible to charge the data subject an admin fee. 

However, typically you cannot ask a data subject to pay for access to or removal of their data – a lesson hard-learned by Bureau Krediet Registration who were fined €830,000 in July 2020 for billing customers who wanted to access personal information more than once a year.  

How are third parties impacted by the right to erasure?

When an Article 17 request is made, you must contact every other person or organization that you have disclosed the data to. 

A data subject is also allowed to request that you inform them of who else has, or has had, access to their data and update them on whether or not you have contacted these external parties to let them know they wish for their data to be deleted. 

If the data in question has been made public in an online environment, (such as on a forum, website, or social media platform), you must either delete it or demonstrate that you’ve taken reasonable actions within your technical and financial control to remove this data.

What steps can your company take to be better prepared for dealing with Article 17?

There are a number of ways you can make responding and managing a right to erasure request easier for your team: 

1. Use effective data mapping

According to Gartner, two-thirds of businesses say it takes them two or more weeks to retrieve a single data request. 

When the clock is ticking on your erasure process, this can be stressful for your team and frustrating for the person who made the request. 

Data mapping software provides you with a clear overview of the data you manage, resulting in a quick and pain-free retrieval process. With greater oversight, you also have the ability to see which third parties have access to datasets (and therefore who must be contacted when a request is made).

2. Educate staff on the importance of Article 17

As requests for erasure can be made verbally or in writing to anyone or any point of contact in your company, there’s a risk of the request being ignored or not being met within the designated time frame. 

Minimise this risk by making sure everyone in your enterprise is aware of an individual’s right to have their data deleted and the need to pass on verbal and/or written requests as soon as possible to the person or department responsible for carrying out this GDPR activity. 

3. Implement a process for right to erasure requests

From the moment someone receives a request for their data to be deleted, a staff member should have clear guidelines to follow: they should know how to recognize an Article 17 request, who to contact, and what to say to the data subject.

The team or individual managing the request must also have a streamlined process of removing this data from live and backup systems, with deadlines assigned to each step. 

4. Maintain consistent and transparent communication 

As soon as you are contacted by someone making a request for erasure, you must be clear, honest, and upfront in your handling of the matter. 

Delays in responding to requests or confusion over how and when you’ll be deleting personal data will only lead to unhappy data subjects, which isn’t good for business or reputation. 

It’s a good idea to create some pre-approved templates or set up automated emails to use throughout key stages of the erasure process. These updates will save you time and ensure you continue to stay compliant. 

If you’d like to learn more about how to delete personal data correctly or would like further expert insights into your data compliance process, our team of GDPR consultants would love to talk. Simply contact us here, and we’ll be in touch.