Data Management in the Age of GDPR
by Michael Hiskey | January 09, 2018
What if the consequences were not just lost time, revenue, and morale?
This post originally appeared in ITProPortal*
When data becomes a disaster—superfluously siloed, geographically redundant, overrun with entry errors—it’s a nightmare for IT and customer service and everyone else. But what if the consequences were not just lost time, revenue, and morale? What if poor data management also cost €20 Million, or four per cent of annual global turnover? Such are the stakes of the new General Data Protection Regulation (GDPR).
Passed a year ago, and taking effect May 2018, the GDPR consists of 200-plus pages of EU data privacy regulations. Yet despite its breadth, the GDPR may be best known for Chapter 3, Article 17 —or the “right to be forgotten.” This law, which gives a “data subject” the ability to have their data deleted, has legal precedent in 2014’s Google Spain v AEPD, a case where the Court of Justice of the European Union (CJEU) stated that individuals had the right to stop search engines like Google from linking to news items that were “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed.”
Cases like these shed light on concerns about digital safety. Over just the past two years, the UK has seen major, high-profile breaches at Wonga (payday loans), Three (telecom), Sports Direct (retail), Tesco (its banking arm), and Sage (accounting and HR software). Each attack alerts citizens to the dangers of cyberspace, where shadowy criminals prey on innocent people with schemes as simple as phishing emails (Action Fraud says it received an average of 8000 phishing reports per month in 2015). These attacks bring a much-needed deluge of reminders about checking credit cards statements, using stronger passwords, and exercising Personal Identifiable Information (PII) discretion. In each case, the message is clear: personal security is data security.
Businesses may be keen to label the GDPR and the “right to be forgotten” as a threat. But that would be a mistake. Clean, transparent, 360-degree views of customer data are not bugs but features, so long as vast regulations can be recast as a massive Know Your Customer (KYC) initiative. Critical to this outcome will be Master Data Management (MDM), the discipline necessary to extract maximal value from raw data, to turn new regulations into streamlined ROI.
Data’s new territory
When GDPR comes into effect, EU individuals will soon have new data rights. Some, like the right to data access, the right to restrict data processing, and rights in relation to automated decision making and profiling, are similar to rights laid out by 1998’s Data Protection Act (DPA). But others go beyond the DPA: the right to be informed, for instance, contains notable language about data transparency. This could drastically affect marketing. If businesses must explain their data intentions to customers in clear language, bundled consent forms could go extinct, and squirreling away data for future use could become costly.
The rights to rectification (wherein individuals and third-parties must be informed of data changes) and to object (to data marketing and profiling) will also affect businesses. But, from a B2C perspective, the most impactful might be the right to data portability, which will allows customers to request their data to price shop. As the Information Commission’s Office (ICO) explains, this could upend banking by allowing customers to upload data “to a third party price comparison website . . . display[ing] alternative current account providers based on their own calculations.”
Mastering data management
As data becomes more valuable, data management assumes more prominence. With commercial transactions almost entirely digitised—think of online shopping, mobile banking, the Internet of Things, payments security—today’s businesses can let their troves of raw data rot, or they can actively store, curate, and analyse it. Analytics, the lifeblood of business intelligence, come in four modes: prescriptive (what should happen), predictive (what might happen), descriptive (what is happening), diagnostic (what happened). Can your data make them matter?
In the future, data will also have to become better. According to PwC, senior executives expect that data-based decision-making will improve over the next three years in terms of speed and sophistication. This is the data feedback loop: data drives decisions, which creates the need for bigger, faster, sleeker, smarter, richer data. Even if some have proclaimed the Big Data Era over and the Eras of Artificial Intelligence and Machine Learning on the horizon, we must remember that AI and ML are data-dependent.
Indeed, data today is technology, and so it must be treated and tended. This is the domain of Master Data Management, which Gartner defines as a “technology-enabled discipline in which business and IT work together to ensure the uniformity, accuracy, stewardship, semantic consistency and accountability of the enterprise’s official shared master data assets.”
What can MDM do? Service financials, sales, and management simultaneously. The newest MDM is dynamic and agile; it locates and solves problems that plague inefficient legacy systems: geographical errors, logistics mistakes, inadvertent table errors, data integration errors, data model errors, data report errors, even data entry error propagated throughout a system from code and metadata errors.
The GDPR’s “accountability principle” emphasises data governance. For businesses, proof of compliance could involve more staff training, internal audits of processing activities, and reviews of HR policies. Public authorities and organisations that carry out large scale systematic monitoring of individuals must appoint a Data Protection Officer. Organisations with more than 250 employees will need to maintain internal records of processing activities.
When the authorities ask for chronologically ordered sets of manual records that contain personal data from IP addresses and key-coded data to genetic and biometric data, will you be ready? Will you translate compliance into employee and consumer confidence and enhance organisational branding? Will you seize these regulations as opportunities to protect sensitive, proprietary company data; to achieve a granular understanding of the organisation; to put the right data people in the right place; to allow for streamlining and automation of internal processes that lower operational costs; to open avenues for future data projects?
Brexit won’t save us
The GDPR is already here. Last fall, Elizabeth Denham, head of the ICO, voiced her support for it, and in her speech in January, Prime Minister Theresa May explicitly stated that the UK will be subject to the GPDR regardless of Brexit (which does not officially occur until the spring of 2019, one year after the GDPR takes effect). The press will be salivating over the first company to be fined for GDPR noncompliance. Don’t be the one.