GDPR: How to win the data privacy war

Preparing for the new regulations will allow organisations to adopt new technologies and improve their information governance.

If you’re a customer-centric organisation, you’re likely to be aware that May 25, 2018 is the date when the General Data Protection Regulation (GDPR) comes into effect.   

The new EU directive will harmonise European data laws, applying to organisations across the globe that handle the personal information of citizens who live in the 28 EU member states. 

As well as requiring you to have particular privacy processes and procedures in place, it also carries punitive fines and penalties for non-compliance. 

However, the new regulations also provide you with the opportunity to improve your information governance and adopt new technologies that can drive customer loyalty and long-term engagement.   

In fact, by successfully addressing three of the main requirements of the GDPR: user consent; data governance and audit; and breach reporting and disclosure, you can strengthen your customer identity management and gain a valuable competitive edge. 

But it’s important to note that a one-size-fits-all data privacy or security product will not fit the bill. You’re likely to require a more sophisticated identity solution that integrates with your business-critical apps and supports your entire IT infrastructure: including your cloud, mobile and legacy systems.   

[“The new EU legislation will be an absolute game-changer for both large organisations and SMEs as the regulator will be able to impose a stratospheric rise in penalties for security breaches, and it remains to be seen whether businesses facing these fines will be able to shoulder the costs.”] Jeremy King, International Director, PCI Security Standards Council (Reference: FinExtra) 

1. Managing User Consent  

The new GDPR regulations require you to get the user’s consent to capture, store and process any data that might be identifiable. They also allow the user to change their consent status in a fine-grained manner at any time and with ease. User ID elements include their name, email address, and phone numbers. 

One of the major data privacy issues the GDPR will penalise you for is if you unintentionally build a more complete picture of the user than you need to. 

This might happen if, for example, you store a cookie in a user’s browser (for which you need their consent) and then link their mobile and web browsing data together in the cookie. This can unintentionally create a personally identifiable information (PII) string of data about the user, even if you don’t actually know who they are. 

In addition, many of today’s powerful marketing and analytics platforms aim to understand who the user is across multiple touch points, but this can also cause GDPR compliance issues unless handled correctly. 

This situation can get more painful in retail, where, for example, the retailer might capture user data in a physical environment with loyalty schemes, and combine them with their online e-commerce platform - without adequate user consent. 

Three Tactics for Dealing with User Consent Data  

a) Consent   

 With the GDPR, you are obliged to help people understand and manage the consent they give you to use their data.   

This includes storing their data as part of an Amazon Web Services or Microsoft Azure cloud service. You also need consent if, for example, you are using a Software-as-a-Service (SaaS) analytics platform in the US to process their data there. 

However, when it comes to consent, you could create user incentives to allow you to capture, store and process their PII data. You also have an opportunity to build in sophisticated consent management via User ID or My Account dashboards.   

b) Pseudonymization   

The new European data protection law introduces the concept of “pseudonymization” where personal data is separated from anything that might identify it - with that information held elsewhere. 

This lowers the risk for data processors of falling foul of GDPR regulations, whilst still making the information useful to marketers.   

It also gives you a great opportunity to mine demographics, activity, behaviour and purchases across your systems; removing the user’s PII data, but tagging the data with a pseudonymization ID so it can be channelled into an analytics system. 

c) ID Management  

If you don’t already have it, preparing for the GDPR is also a good time to implement effective ID management across all customer touch points: including web, mobile and physical point of sale/loyalty card interactions.   

[Around 45% of businesses either do not have the tools to ensure their organisation complies with the main requirements under the GDPR; or could only obtain such tools at significant cost.] (Source: Baker McKenzie, Preparing for New Privacy Regimes, April 2016) 

2. Data Governance and Audit  

With the right consent, pseudonymization, and ID management technologies and processes in place, the next step is to ensure you can demonstrate good data governance and policy adherence for an internal audit, customer request, or an external audit following a breach. 

You particularly need to show that you are only using the customer’s data in line with their given consents. For this, it is essential that you can record what you do with your customer data and where you use it.  

Alex Laurie, Commercial Director at identity data management specialist Amido, explains: imagine you have a set of user data and want to run a segmentation process on it. You might move it to a data store for machine learning, for example the Azure Cognitive Services platform, run your segmentation, then apply back the segments to your user data.   

Laurie adds, “There are many steps in that process and you would have to record each step as an activity for each user’s data. This is because, within this regulation, the user is entitled to ask how you got to that point, or simply ask what you have done with their data. You would then have to produce a record of activity and that activity would need to be in line with the consent they have given you.” 

Consequently, your consent store becomes a source of permissions for your organisation to check whenever you intend to process user data. You can then implement a meta-data approach to record the audit-trail of steps. “This is common practice in banking or government, with products available with which we help clients integrate,” says Laurie. 

3. Reporting and Disclosure after a Data Breach  

One of the most critical requirements of the new EU directive is the need for you to disclose details of customer data that may have been compromised following a data breach. This must be done by your dedicated Data Protection Officer within 72 hours. 

“This is possibly the hardest bit to get right,” notes Amido’s Alex Laurie. The problem is that, when breached, most organisations do not actually know what was breached, where it was and what data was accessed. 

He goes on to explain that, in the first instance, you need to know where your data is, in what state, and in which system it resides. “This is so that if a breach occurs, you can accurately report which systems - and therefore which data points - might have been exposed,” says Laurie.   

It’s important to get your system design approach correct here. Important elements include: ID management, data abstraction and anonymization and encryption of data at rest and in transit.   

Tech Perspective: How to mitigate the risk of a customer data breach 

Steve Jones, Senior Consultant, Amido 

The change in law brought about by GDPR in no way diminishes the importance of user data to customer-centric businesses. To continue to exploit the breakneck developments in artificial intelligence and machine learning which are turbocharging customer profiling and relationship mining, GDPR encourages good architectural design in putting the customer at the heart of the enterprise. 

The key design decision from a best practice perspective is to consolidate all customer PII into a single data store, and to use non-descript tokens to act as alter egos (or pointers) to an individual outside of the data store. Rather than passing email addresses between systems to identify users, for example, these tokens perform the task of identifying a customer without leaking any identifiable information. 

In order to find out where customer data sits within the business, first conduct a PII audit. Keep in mind that customer data could be stored in several locations - including third party systems - and in data commonly replicated across development, test and archive environments. 

After the audit, consolidate PII into a single store. This is a sensible time to introduce a centralised IdAM (Identity Access Management) platform to merge any legacy or distributed ID systems currently in operation. The benefits of this stretch farther than GDPR compliance: centralising this sensitive information will reduce support and maintenance, in turn leading to time and cost savings whilst increasing the agility of the business to cater to new business models.   

If you don't already, it's prudent to treat PII with the respect you’ve always treated PCI: now you have a single concentrated store of PII, secure it well through several overlapping layers. Encrypt data at rest and in transit; grant access sparingly and authorise access to the bare minimum required to get the job done (according to the principle of least privilege). Audit all access, and, most importantly, regularly review the access logs! The simplest way to know about any data breach is to proactively monitor the accounts that access the information. 

Now you have a single store of PII, apply a privacy and consent-delegation framework over the top – user managed access (UMA) is the magic ingredient here; built on top of OAuth 2. This is the next-generation access management protocol that supports a scalable fine-grained access and revocation model.  

This combination makes it ideal for the self-service consent management scenarios that GDPR introduces. As UMA is built on top of OAuth 2, authenticated users are identified by encrypted tokens passed between systems, never directly attributable information. 

Introducing UMA enables businesses to develop future-ready services that a user can share, and to which they can delegate consent in advance. This is the core feature of the protocol which opens up exciting opportunities across IoT, API and app landscapes whilst ensuring private data is protected. 

[If Tesco had been subject to the rules of GDPR following the hack on its bank back in November 2016, it would have potentially faced a fine of £1.9 billion.] (Source: 4D, February 2017) 

GDPR Compliance and Marketing Success 

GDPR is a great opportunity for enterprises to introduce next-generation privacy and consent services, and the advantages can be profound for your organisation. These services will build trust by empowering the customer, and they also lay the foundation for introducing more personalised experiences based on rapid developments in automation, AI and machine learning.   

Whilst helping you to empower your customers, privacy and consent services can also be a differentiator for your products and services, compared with your competitors. Demonstrating a proactive stance to compliance and privacy will allow you to get ahead in the marketplace, with both your customers and industry regulators.   

Furthermore, this approach will naturally enhance the progressive-profiling process. As you analyse your customers’ consent ‘giving’ and ‘managing’ behaviour, you will gain a set of additional data points around the customer’s psyche for ML/AI processing, enabling a more active/active model for customer interaction.   

In addition, it will encourage regular customer review of their profile, which means you can interact with them more frequently, and outside of the transaction process, opening up contact points and opportunities for gamification and sales and marketing. 

Other benefits that come from GDPR preparation are that you get a clear picture of where your data resides. By doing this, you will better understand your technology services models and master sources of data. Introducing pseudonymization will enable you to take advantage of the latest technologies and tools without falling foul of Safe Harbor and other cross border legislation. 

Rather than approaching GDPR apprehensively, it’s important to recognise the ways in which you can strengthen your data management, customer services and competitive edge through next-generation privacy and consent services. With the right approach and technologies in place, you can capitalise on customer data and trends, whilst also becoming GDPR compliant. 

Image Credit: Wright Studio / Shutterstock