The EU’s new General Data Protection Regulation (GDPR), which takes effect in May, is designed to protect EU residents’ data, regardless of where that data is collected, stored or processed, so the regulation has wide applicability beyond the borders of the EU. That means many companies that have data on EU-based persons will be subject to GDPR and its enforcement. U.S. organizations need to understand not only their risk of exposure under GDPR, but also how they can mitigate that risk through evolving best data protection practice.
A new Forbes Insights report, “Data Protection by Design: The Opportunity in the Obligation of GDPR Compliance,” sponsored by Pitney Bowes, takes a deep look into this issue and how businesses can best prepare. In a previous blog post, we examined potential penalties and some guidelines for how businesses can get ready for this new regulation. In this post, we’ll discuss some common obstacles companies encounter as well as concrete steps to take in a data quality approach to GDPR.
GDPR compliance is not possible without quality data, data management practices and the advanced capabilities to curate it. Many of those capabilities do not exist today within organizations because of internal gaps in technical infrastructure or processes. Compliance touches on multiple areas within a business—legal, IT and marketing are all important stakeholders—so multiple groups need to come together to ensure success.
Practically, organizations need to be able to quickly query and return all relevant information on individuals; allow individuals to correct, move and remove data relating to them; and, in the event of a breach, notify regulators. In situations of “high risk,” organizations may also need to notify affected individuals. Carrying out these actions requires the ability to create a single, unified record for each data subject. Acquiring the ability to produce such a unified record is non-trivial and—depending on the age of an organization’s infrastructure—can be very costly.
There are a few common stumbling blocks for organizations when tackling this set of requirements for the first time.
- KNOWING THE PROCESS: The biggest initial problem is simply knowing what data you’ve got and where you’ve got it. Overcoming this challenge can be straightforward when the data in question is static (i.e., it doesn’t change once captured) and limited to structured databases such as those in customer relationship management (CRM) or enterprise resource planning (ERP) software. But it gets more complicated with unstructured and dynamic data that changes continuously (e.g., a person’s location).
- KNOWING THE DATA: There are often multiple versions of the same data, for instance, many people who share the same, common name. An organization needs to be able to differentiate between one James Smith, say, and another. Various name abbreviations, spellings, misspellings—accidental and deliberate—complicate things further. So, when a James Smith requests his data, or a correction to it, the organization needs to be absolutely sure it’s pulling all the right and relevant records.
KNOWING WHOM TO INVOLVE: GDPR isn’t purely a security or IT issue, it’s a larger, more pervasive business issue. Planning for it should involve multiple stakeholders, including marketing. It’s unlikely that all the knowledge required for compliance already exists in-house, so bringing in outside help and hiring the resources where needed should also be top considerations.
The steps involved in a data quality approach to GDPR can be broken down into four main areas.
- Before GDPR compliance can be achieved, data needs to be catalogued to record what data is stored, where and why; whether it’s structured or unstructured, and whether it’s stored digitally or in analog form. This is more a consultative exercise than an IT process.
- Data minimization is central to many of the requirements of GDPR, so decisions will need to be made around what personal data is necessary to have, under what basis it is being collected and what can be deleted. At the same time, the quality of the remaining data will need to be improved: Duplicates must be found and resolved, and conflicting data must be validated against credible sources to ensure accuracy.
- This phase requires a system that enables the data to be queried and subsequently delivered, deleted, corrected or ported when it is requested. The trick here is accessing that data in real time when required.
- Establishing the right governance model out of the gate is absolutely critical. There should be an internal body not only with the authority to orchestrate the above phases but also with the remit to change processes and oversee their implementation. Part of this process may be designating the data protection officer, as outlined in the GDPR itself.