General Data Protection Regulation, or GDPR, is an individual consumer centric model for ensuring that European citizens have clear guidance on what data they own and their control over it. The full enforcement of GDPR across Europe will begin in May 2018, and it will affect all aspects of an organization that collects, processes and utilizes personal information.
Organizations will have to create and enforce new processes and systems to ensure consumers have full control over their data, including visibility into the information it contains, and the ability to update that information and data, as well as to delete it if they choose.
GDPR is different from previous regulations that affected the operations and security posture of IT systems and their intersection with business process. GDPR is the first set of regulations that clearly defines the ownership of data by consumers, and their rights to that data, even when it is housed by third-party organizations.
The Four Rights of GDPR
GDPR defines four data rights that apply to all European citizens, and includes both data about them and data they generate:
- Right to access – The right of individuals to find out what information a company holds about them.
- Right to amend – The right to have the ability to update information a company has, to ensure accuracy.
- Right to be forgotten – The right to notify a company to remove all data about a specific individual.
- Right to data portability – The right to move data between providers when an individual chooses.
This article will not be discussing who is impacted by GDPR or how to identify those in-scope data sets for an organization. That is best left to an organization’s compliance teams and outside compliance advisors.
What this article will focus on is how GDPR impacts common operations within an organization when dealing with data that is often intermixed with sensitive, or private information that might be in-scope for GDPR.
Implications for Production Operations
Many production systems are built on relational databases and data pipelines that use the integration of data between different systems to drive business processes and decisioning. With GDPR, it is likely that a consumer could choose to be forgotten, requiring certain data sets to be purged of their information, while other systems may have records linked to that data, but not in-scope, requiring removal.
A common example is a customer choosing to have his or her name and address removed after purchasing products from an organization. There will still be a record of a product shipment and a financial transaction, but no associated consumer details. In this scenario, all production systems will have to have updated data models to account for data that could become missing over time, while still ensuring that business reporting and automated processes can continue uninterrupted.
Implications for Derived Data
Many organizations today leverage data collected from consumers to produce analytical models or other derivative data sets. These are often used to drive business processes, to sell as data products or to use in targeted marketing. Organizations will need to ensure that analytical models are built in a way that they can be retrained in an automated fashion to recalibrate and account for records being regularly removed. Derived data impacts each of the four GDPR rights in different ways:
- Right to access – Customers are becoming more and more aware of how their data is used by organizations, so customers will demand to know what derivatives of their data are being created and used.
- Right to amend – Once customers are aware of these derivative data sets, they will ask that updates be made where inaccurate data was present.
- Right to be forgotten – Customers may decide that the initial data collection was acceptable, but downstream uses are not; this will lead to new requests to delete data because of those uses.
- Right to data portability – Where third parties are providing products and services associated with derivative data, customers may choose to use other services that better meet their needs.
Implications for Research and Ad Hoc Analysis
It is common for organizations to have data sets for the purpose of product research or to support other ad hoc analytical work by the organization’s data scientists. These data sets are often spread across a variety of systems, and often extend from on-premise into public cloud providers.
As data sets are identified as in-scope for GDPR, it is critical to track the location of not only those data sets, but also their derivative data sets, as well as the associated lineage. GDPR compliance must include the creation of a company-wide data catalog, for tracking both the data sets and their coverage by GDPR, and the lineage of the data sets.
As ad hoc and other research is completed on data owned by an organization, those data sets are copied, manipulated and integrated with additional data sets. The centralized data catalog therefore becomes the control point for the organization to provide assurances to customers that all copies of in-scope data are properly managed to maintain the four key rights of GDPR.
Implications for Merger and Acquisition Activities
Mergers and acquisitions (M&A) present a unique challenge to both implementing GDPR and managing change. M&A deals will often trigger the need to harmonize policies across two companies, including processes, tools and data classifications.
M&A deals will require additional budgets to support the integration of the workflow systems behind GDPR implementation, as well as to retrain staff and customers on process changes during integration. Companies should make GDPR a priority during M&A work, to minimize the time you’ll be using separate systems for reporting GDPR compliance. The following is how the four GDPR rights should be considered during M&A activities.
- Right to access – M&A activities could trigger a need to harmonize policies between companies that may have different approaches to how data is classified and used, and how customers are notified.
- Right to amend – Changes to company ownership could trigger customers to make changes they would have otherwise not thought to make, leading to an increase in post M&A amend requests.
- Right to be forgotten – The most severe consequence could be customers choosing to remove their data from one provider because of their perception of the new company and its goals, post M&A.
- Right to data portability – The right to portability is not removed as firms are integrated, but staff will have to plan for how to ensure that processes can be harmonized, to minimize the effort level for customers who do want to move their data to new providers.
This list is by no means exhaustive. GDPR affects all aspects of an organization, from data collection, through processing, to business decisions and partnerships. Consequently, GDPR requires a full organizational commitment, backed by a sponsor and the funding needed to ensure proper implementation and evolution as business structures and products evolve. GDPR touches many more parts of an organization than traditional security and compliance controls, and demands a higher level of awareness and training across the organization.
Here are three key elements to keep in mind as you implement GDPR in your organization:
- Create RACI matrices to clearly show who within an organization has accountability and influence for GDPR implementation and policy execution.
- Ensure the Data Protection Officer (DPO) has appropriate resources to fully implement GDPR and respond to changes in the business landscape.
- Own GDPR implementation internally; do not rely solely on external vendors at the risk of not developing internal knowledge and experience.