GDPR (the General Data Protection Regulation) is EU-wide legislation that will come into force on 25th May 2018. Much has been written about the impact it will have on business and the public sector, and the heightened obligations it mandates over and above existing EU country-level legislation (such as the UK’s 1998 Data Protection Act). There are numerous “toolkits” available to provide guidance on the degree of process compliance that currently exists in organisations. But little has been written around the impact it will have on the technology platforms that currently hold all that data. One reason for this is that each company or organisation has a unique mix of technologies, people and processes involved so it is hard to generalize. However, there are some common challenge arising from GDPR that should be of significant concern:
Accountability and compliance. GDPR introduces much more accountability around how personal data is handled, especially around how data is processed and stored and managed. Many organisations now have complex data architectures where data is extracted, loaded, federated, shared, stored and archived in ways that may not always be transparent to internal business stakeholders. This is especially true in large organisations where M&A activities have resulted in a set of cross-connected data platforms.
One way to address this data handling transparency requirement is to revisit a company’s enterprise data architecture, to better understand where personal data exists and reduce the risk that this data might find itself in an area it shouldn’t be in or isn’t known about. e.g. personal data that is being processed by one business system may be being sourced from an operational data store that is different to the CRM system used by customer services agents; or data may be stored in an offline archive that is not immediately searchable by existing means but may be brought online for the purpose of processing data held in it.
This is further addressed by implementing more holistic search capabilities, so that a company can search across all its technology platforms and archives for specific keys or identifiers relating to individuals. These capabilities can help ensure that all the personal data held on individuals is known, is being handled appropriately – and could be produced in a report to lawyers or regulators if required.
Why should organisations pay immediate and serious attention to this? Because GDPR also brings a heightened set of fines (up to €20m or 4% of total worldwide revenue in some cases) for companies that don’t adhere to their responsibilities under GDPR. (Just look at the EU’s recent issuing of a €2.4bn fine to Google for publishing misleading search results as an indicator as to how serious the EU is in these matters).
Access to data. Under current EU country-level legislation, individuals can request companies or public bodies to disclose the information they hold about them. But currently this “Subject Access Request (SAR)” entails a £10 payment (in the UK), which discourages frequent or frivolous requests. GDPR introduces the right for individuals to request this data free of charge, and the organisation must normally produce it within one month for simple requests or face a penalty. In the same way that Freedom of Information legislation forced public sector organisations to re-engineer some of their platforms to serve up the information required – something which could no longer be done manually due to the flood of FOI requests being made – GDPR is going to require organisations to expose a vast quantity of personal information to individual requestors with speed and frequency.
This will require the reporting of information in such a way that it explains what data is being held – not just raw computer data, but rather structured information, e.g., “For requestor John Smith we associate username JSmith123 and have you registered at 1 Garden Walk, London, WC1 1AA; we have used automatic profiling that has categorised you as an “ABC” type consumer; and we have shared all of this information with company XYZ”. These SARs may come from any number of (mostly digital) channels and may need to be delivered back via that same channel, with an appropriate user experience. Plus GDPR extends existing EU legislation to provide a “Right to Erasure” to personal data.
The challenge and next steps
How many people from May next year are going to be asking their bank, credit card providers, insurers, supermarkets, utility providers, eBay, Amazon, Google and a myriad of other companies what personal data they hold about them, and in some cases following that disclosure then request that it is erased? Potentially millions – and more than just once over time. This step-change in the volume of SAR type requests doesn’t seem to have been recognised by many organisations, and time is running out. Companies will almost certainly need to upgrade existing data platforms, and in many cases implement a new data governance technology platform to facilitate and automate their ability to comply with GDPR legislation.
GDPR requires companies that have “regular and systematic monitoring” of individuals at a large scale, or process a lot of sensitive personal data, to have a dedicated data protection officer. This person has to monitor compliance with the GDPR and be a Single Point of Contact for employees and customers. To perform their role, this person will need to have “super user” rights to the GDPR data governance platform within their company and a deep understanding of all the new capabilities described above.
At Ness we engineer and re-engineer big data platforms, so we have experience of how each organisation’s situation can be different. And we know that many organisations will struggle to address the likely volume of SAR requests and respond in a way that satisfies each requester (and the regulator).
If you’re concerned about the impact of GDPR on your technology and data platforms, why not get Ness to carry out a GDPR data platform audit and make specific recommendations to address technology shortfalls? This will help expose all the issues faced by multiple stakeholders, and deliver a clear roadmap of what changes need to be made including the GDPR data governance technology platform that needs to be put in place.