Analytics experts beware, the European Union (EU) General Data Protection Regulation (GDPR) may require significant changes to your current personal data management, analytics and reporting practices. Unlike privacy laws in other jurisdictions, the GDPR is applicable to organization of all types and sizes located in and outside the EU. It is due to take effect on May 25, 2018.
You’ll soon need a legal basis to justify collection and processing of personal data. Consent must be “freely given, specific, informed, and unambiguous.” This will impact artificial intelligence, reporting, self-service BI, data warehousing, master data management, customer 360 projects, personalization and a myriad of line of business applications.
Although compliance is not a delightful topic, GDPR demands your time and attention. Penalties for non-compliance are severe. Your organization can be fined up to 4% of total global annual turnover or €20 million.
The “right to be forgotten”
Essentially the GDPR is about protecting and enabling the privacy rights of individuals. It establishes strict global privacy requirements governing how you manage and diligently protect personal data while respecting choice, responding to individual requests to update or erase data, and proving how you do it.
Personal data is broadly defined as any data that relates to an identified or identifiable natural person. In addition to obvious personal identification data such as names or tax numbers, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric, health, and sexual orientation data is included. Personal data might reside in a CRM, line of business applications, web sites, mobile apps, databases, surveys, job applications, marketing systems, email, photos, video footage, and countless other places in the digital era.
Under the GDPR, individuals have a right to know if an organization is processing their personal data and to understand the purposes of that processing. They also have the right to have personal data deleted, corrected, moved elsewhere, and to revoke consent for certain uses of their data.
Understanding the GDPR guidelines is valuable knowledge for anyone in a data related profession. If you work with EU organizations or data from EU residents, you need to know about the GDPR. Even if you aren’t required to comply with this law next year, in the future GDPR concepts are likely to be adopted in other parts of the world. That is promising news for those of us that are concerned about all the inappropriate uses of our personal information.
Preparing for GDPR
Today collected personal data lives everywhere: on-premises, in the cloud, on devices and in even in “intelligent things”. Most of the analytics landscape is subject to GDPR requirements. You’ll need to put processes in place to record data collection consent, discover, audit, organize, govern, secure and delete data. For business applications and data warehousing processes, deleting data is an unusual event that may never have been considered in the past. Getting GDPR-ready does require a holistic approach with cross-functional expertise, changes to enterprise-wide processes, and possibly acquiring new tools.
To begin preparing for GDPR, read and understand the GDPR regulation. From there, explore GDPR Ebooks, GDPR preparation toolkits and other resources that are already widely available if you simply search for them. If you can’t find detailed information, ask your data and analytics solution vendors for this material. Top analytics vendors have developed guidelines, kits, questionnaires, and sample reports that can expedite GDPR compliance project tasks.
Know your data
You’ll want to identify and inventory what personal data you collect and where it lives. E-discovery and data catalogs are fantastic solutions for this requirement. These solutions can scan through networks to automatically, intelligently populate a searchable catalog of data assets. They provide an additional layer of data security, auditing and governance. Data catalog solutions are available from information management platform and niche vendors including but not limited to Informatica, SAS, SAP, IBM, TIBCO, Alation, Waterline Data, Collibra, Datawatch and OneTrust.
After you know where personal data is located, you need to manage how personal data is accessed and used. This is where strong data security and governance processes are needed. You’ll define policies, roles, and responsibilities that align with GDPR rules.
Then you’ll put GDPR specific security controls in place to prevent, detect, and respond to vulnerabilities, malware and data breaches. Plan to update data risk management plans including password protection, audit logging, and encryption of data at rest and in-motion. Don’t overlook data loss. Information Rights Management (IRM) and Mobile Device Management tools can prevent sensitive information from being printed, forwarded, saved, edited, or copied by unauthorized individuals. For data storage, data encryption, masking, and field level security of personal data should be considered.
Last but not least, you’ll need to keep detailed documentation to report on and answer GDPR inquiries, requests for updates and deletes for compliance reporting. This ranges from logging processing activities to flows of personal data into and out of the EU or to third-party service providers.
Don’t delay getting up to speed on GDPR. Every analytics pro should be aware of these upcoming laws and how analytics processes might change. GDPR is one of many regulations designed to ensure responsible use and protection of personal data.