Cleansing Legacy Data for GDPR Compliance: A Case Study

Karthachira Chermana, Harsha Pemmaiah
Cusack, Brian
Item type
Degree name
Master of Information Security and Digital Forensics
Journal Title
Journal ISSN
Volume Title
Auckland University of Technology

Today's news media are packed with information infringements and cybersecurity infringements amongst the world's most prominent companies. Misuse of personal information has become a major issue. Hence, the preservation of privacy and information is now more crucial than it has ever been. In May 2018, a major legislation was adopted in the European Union to tackle the problem of personal information privacy described as the General Data Protection Regulation or GDPR. Organisations these days collect immense amount of personal information in a quest to offer more personalised products and services. If collection is one part, the processing of information to offer better customer experience is the other part. However, the collection and processing of such personal information are not transparent as they go beyond the objective for which such data was obtained in the first place. On the other hand, malicious attacks are launched on organisations that collect a treasure trove of personal information. In either way, personal information is misused with considerable financial and mental distress to the victims. The GDPR was introduced to address all the privacy related issues to enable the right to privacy among the EU citizens. This legislation is also applicable to all other jurisdictions European citizens trade with. Research Question: How can the legacy data-sets collected by an organisation to comply with GDPR, be made compliant? Thus, the study goal of this thesis is to demonstrate the measures that organisations may adopt to comply with the GDPR. It is evident that all new information collected would have to follow the latest privacy mechanisms and the stringent compliance requirements of the GDPR. But the regulation is also applicable to the legacy data that organisations have in their possession. This becomes a herculean task to the organisations for regulation compliance. Any breach of data under the new regulation would bring sanctions and financial penalties on a large scale which could severely impact the regular operations of an organisation. Smaller organisations would probably disappear from the business environment. Through this study it is intended to demonstrate the management and technical controls adopted to address the cleansing of legacy data for GDPR compliance. A combination of management standards like ISO 27001, ISO 31000 and BS 10012, along with Privacy Enhancing Technology such as pseudonymisation will be used for the case study demonstration. I also understand the shortcomings and vulnerabilities in implementing the required mechanisms to comply with GDPR.

GDPR , Pseudonymisation , Information Security , Privacy , Privacy by Design (PbD) , Privacy Enhancing Technology (PET) , ISO 27001 , ISO 31000 , BS10012:2017
Publisher's version
Rights statement