GDPR (the General Data Protection Regulation) is European Union (EU) legislation that will come into force worldwide on May 25, 2018. Much has already been written about the significant impact GDPR will have on both businesses and the public sector, as well as the heightened obligations it mandates over and above existing EU country-level legislation (including the UK’s 1998 Data Protection Act).
While numerous “toolkits” of varying degrees of sophistication are available to help companies assess the degree of process compliance that currently exists within their organisations, and to provide process flows that facilitate compliance, little has been discussed around GDPR’s impact on technology platforms currently holding all that data. One reason is because each company or organisation has a unique mix of technologies, people and processes involved, so it is difficult to generalise. However, there are several common challenges arising from GDPR that companies should consider when it comes to making their technology platforms GDPR compliant:
Accountability and compliance
GDPR introduces much more accountability around how Personally Identifiable Information (PII) - that is any data that could potentially identify a specific individual - is handled, especially in terms of how PII data is processed, stored, and managed. Many organisations now have complex data architectures where data is extracted, loaded, federated, shared, stored and archived in ways that may not always be transparent to internal business stakeholders. This is especially true in large organisations where M&A activities have resulted in a set of cross-connected data platforms.
One way to address this data handling transparency requirement is to revisit a company’s enterprise data architecture to better understand where PII data exists. This helps ensure that all instances of PII data are known about, and it reduces the risk of this data ending up in an area it shouldn’t be in. Examples include PII data being processed by one business system potentially being sourced from an operational data store different to the CRM system used by customer service agents; and PII data being stored in an offline archive not immediately searchable by existing means, yet possibly brought online for the processing data contained within it.
Identifying where PII data exists can be further addressed by implementing more holistic search capabilities, ensuring a company can search across all its technology platforms and archives for specific keys or identifiers relating to individuals. These capabilities can provide further assurances that PII data held on individuals is known about, is being handled appropriately, and can be produced in a report to lawyers or regulators if required. It also helps ensure that as new sources of data are added at a later time, the overall technology platform remains compliant. GDPR does recommend that PII be transmitted and stored in an encrypted format, which makes the search functionality a little more complex, so companies should consider the implications of encryption when implementing search capabilities.
Why should organisations pay serious attention to this? Because GDPR brings a heightened set of administrative fines (up to €20/$23.6 million or 4 per cent of total worldwide revenue in some cases) for companies that don’t adhere to their responsibilities under specific guidelines. One look at the EU’s recent issuing of a €2.41/$2.8 billion fine to Google for publishing misleading search results should be an indicator as to how serious the EU regards these matters.
Access to data
Under current EU country-level legislation, individuals can request companies or public bodies to disclose information they hold about them. Currently this “Subject Access Request (SAR)” entails a £10 payment (in the UK), which discourages frequent or frivolous requests. GDPR introduces the right for individuals to request this data free of charge, and the organisation must usually produce it within one month for simple requests or face an administrative fine. In the same way that Freedom of Information legislation forced public sector organisations to re-engineer some of their platforms to serve up the information required, GDPR is going to require organisations to expose a vast quantity of PII data to individual requestors with speed and frequency.
This requires the reporting of information in a way that explains what data is being held (i.e. structured information versus raw computer data) and how an organisation is processing it to derive insights about that individual. These SARs can come from any number of (mostly digital) channels and may need to be delivered back via that same channel with an appropriate user experience.
Additionally, GDPR extends existing EU legislation to provide a “Right to Erasure” to PII data. However other EU mandates such as tax legislation require companies to retain records for a number of years. So, if someone’s PII data has been deleted at their request, a GDPR-compliant mechanism needs to be able to associate an individual with their retained data at a later date.
GDPR challenges and next steps
Consider this question: starting May 2018, how many people are going to ask their bank, credit card providers, insurers, supermarkets, utility providers, eBay, Amazon, Google and a myriad of other companies what PII data they hold about them, and potentially request they erase it following that disclosure?
The answer is potentially millions – and more than just once over time.
This step-change in the volume of SAR-type requests has not been recognised by many organisations, and time is running out. Companies will almost certainly need to upgrade existing data platforms, and in most cases, implement a new data governance technology platform to facilitate and automate their ability to comply with GDPR legislation. However, the specific needs of GDPR are not well handled out-of-the-box by existing data governance products that offer a generic solution, as much of the effort required will be bespoke to each organisation’s existing data platforms.
GDPR also requires companies that have “regular and systematic monitoring” of individuals at a large scale, or process a lot of PII data, to have a dedicated data protection officer. This person must monitor compliance with GDPR and be a single point of contact for employees and customers. To perform the role, this person will need to have “super user” rights to the GDPR data governance platform within the company and a deep understanding of all the new capabilities described above.
Because each organisation’s GDPR situation will be different, many organisations will struggle to address the likely volume of SAR requests and respond in a way that satisfies each requester (and the regulator).
When it comes to concerns about GDPR’s impact on technology and data platforms, organisations should consider carrying out a GDPR data platform audit and make specific recommendations to address technology shortfalls. This will help expose issues faced by multiple stakeholders and delivers a clear roadmap of what changes need to be made, including the bespoke GDPR data governance that needs to be put in place.
Many organisations have so far just focused on addressing process requirements, assuming that their technical teams will “make it happen.” This approach within a rapidly reducing time window is likely to lead to new technology products being purchased that aren’t an ideal fit and could leave companies saddled with expensive license fees for years to come. By looking both top-down from the process viewpoint and bottom-up from the platform technology layer, the “right” solution to GDPR is more likely to be identified and put in place.
David Mackay, associate vice president of business development, Ness Digital Engineering
Image Credit: Flickr / janneke staaks