Skip to main content

Data connections can take the complexity out of GDPR

(Image credit: Image source: Shutterstock/Wright Studio)

The General Data Protection Act, known as GDPR, is coming over the horizon faster than many businesses have planned for, with full enforcement under way by May 25 2018.

GDPR will enforce much stronger data security and privacy rules when it comes to protecting personal data. This will have an enormous impact on the way business processes work. GDPR comes with some very sharp teeth. Failing to comply with the new law can result in a fine of up to 20 million Euros or 4% of global annual turnover, whichever is the greater.

However, what is worrying industry and data experts is that many CIOs are being incredibly tardy at addressing GDPR. A survey in June this year by consultancy PWC, for example, showed that of 150 GDPR readiness assessments it conducted with clients, many found it difficult to identify a place to start with preparations. This dire situation is only growing. According to a recent YouGov survey, two thirds of UK businesses are totally unaware of the fines they face by not complying with GDPR and a startling 62% did not know what GDPR was.

There are many that won’t think this laissez-fair attitude is newsworthy. But what is important to broadcast is that there are ways of working with data that could dramatically reduce the time and effort it will take businesses to get GDPR-compliant – even with the clock ticking.

UK companies have undoubtedly been slow to take the seriousness of GDPR on board. Some may be under the illusion that because it is an EU directive it will not apply because of Brexit. The government, however, has made it abundantly clear that GDPR will be a legal requirement for the UK.  

CIOs are also suddenly realising that to be fully GDPR-compliant they must be able to track the movement of their customers’ data. Key elements include auditing current data protection measures, documenting all the data in an organisation’s possession and ensuring all data collection, procedures and processes comply with GDPR – including where data resides and how it is being used. This is no small task.

It doesn’t stop there. There is also the question of security when it comes to handling and processing personal data. Organisations will need to have security procedures in place that can spot and alert them to any cyber attacks. Data breaches must be reported within 72 hours.

Finally, they need to provide a window onto people’s personal data, underlining exactly how it is being used. They will also need to be able to prove to GDPR regulators that it is being used within the law.

GDPR holds firms accountable for all data, regardless of where it is stored. It also demands that organisations can access, report and remove personal data from all data locations when requested by consumers or regulators.

This creates a gargantuan challenge for many organisations who have data spread across multiple locations, often around the globe, in different applications on servers and in data centres – on their own networks and with external providers housing data in the cloud.

Personal data is about joining the dots

The key to GDPR compliance is tracking data movement across all your enterprise applications

The key to GDPR compliance is tracking data movement across all your enterprise applications

There is light at the end of the tunnel, however. It isn’t about the terrabytes of data and volumes of records. It is about being able to document and outline – if requested - why and how an individual’s data travels through an organisation. How it is connected to sales and marketing activities and at which touch points he/she has been informed of and consented to the organisation’s data privacy regulation?

Those touch points can be displayed as connections. Unfortunately making these connections with relational and most NoSQL technologies just isn’t possible as the data model is too rigid for the complex requirements of GDPR. Why? Because personal data as a rule doesn’t flow in a straight line, instead it follows a variable route as it weaves its way through the enterprise. This inconstant route is best modeled using a database technology known as graph database.

In a nutshell, Graph technology is specifically designed for connected-data as found when complying with GDPR in which data relationships are as important as the data itself.

Graph database technology was first recognised by internet giants such as Google, Facebook and LinkedIn to collect and exploit the fast exploding world of data relationships discovered online. More recently, graph tech has been indispensable in uncovering data connections that lead to the publication of the Panama Papers global investigation.

Let’s look at how graphs work. Traditional approaches produce tabular output that is hard to interpret. In contrast, graph technology uses simple, easy to understand network models of how the data flows through enterprise systems.

The approach that NoSQL and relational databases use leaves out key system connections which can lead to a breakdown in personal data lineage which makes tracking impossible to follow. A native graph database, however, stores and connects all the data as a graph, making it an ideal tool for GDPR compliance.

Of course traditional relational database technology has its place. It is good at handling highly structured data sets that don’t change that often and have a small number of clear connections. But tracking data connections requires a totally different skillset, which is where graph comes into its own.

Having said this, it is now imperative that GDPR project leaders look at tools available that will enable them to be GDPR compliant by May 2018 as a matter of urgency.

Graph technology should be top of the list, not just for large enterprises. Off-the-shelf graph database technology can also be a boon to SMEs..

The EU is very serious about protecting its citizens’ data and GDPR comes with some very strict compliancy rules. Those that haven’t prepared for GDPR would be well advised to do so, or risk some serious consequences. Although GDPR compliancy is a formidable one, graph technology can definitely make the whole process easier and more manageable.

Graph technology was developed especially to manage data connections. Why try to make other technologies bend to fit, when you have a tool at your disposal whose skillset lends itself perfectly to the task in hand.

Emil Eifrem, co-founder and CEO, Neo Technology (opens in new tab)
Image source: Shutterstock/Wright Studio

Emil Eifrem is co-founder and CEO of Neo Technology, the company behind the world’s leading graph database, Neo4j.