Talend’s Patrick Booth looks at the potential impact that the General Data Protection Regulation will have on businesses across Europe and the need to track and trace how potentially sensitive data is managed and used.
The pending General Data Protection Regulation (GDPR) is set to have a dramatic impact on businesses across Europe. To make certain of compliance by the time GDPR enters into application in May 2018, organisations need to take action now to ensure they are adequately capturing, integrating, certifying, monitoring and of course, protecting their data.
There is a lot to do. Many organisations across both public and private sectors have not yet given due consideration to the problem, let alone taken proactive action to prepare themselves for full compliance with the new ruling, which was introduced by the European Commission on May 4, 2016.
They will not be able to put this problem on the backburner for much longer, however. A failure to comply with the new regulations could be costly. Breaches of some provisions could lead to data watchdogs levying fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater.
When GDPR comes into force, businesses will need to track and trace each and every piece of potentially sensitive data, and determine how it is processed across their entire information supply chain – from their CRM and HR systems to their Hadoop data lakes. This same careful data management will be required to comply with “privacy by design” principles, which means that each new digital service that makes use of personal data must take the protection of such data into consideration, for example, by considering data anonymization or pseudonymization.
Compliance with GDPR is also dependent on the organisation’s data agility, as it mandates to communicate transparently with data subjects on their personal data and grants them rights for data access, as well as rectification and erasure at any time, free of charge. This can be a particular challenge for large, complex or geographically dispersed organisations where data is often siloed, duplicated and distributed across many different sites and likely stored in multiple places. Any delays to answer requests can be a major problem for businesses if they don’t have a clear process and widely accessible system to compile the requested information.
Businesses today are faced with the proliferation of data together with multiple new cloud and digital applications. It is therefore becoming increasingly difficult for IT departments to take total ownership of the protection of personal data without engaging their counterparts in HR, Sales, Marketing, and other customer-centric business units.
However, for most companies, GDPR mandates the appointment of a Data Protection Officer (DPO). Their role is to educate, advise internally on the obligations under the regulation, monitor compliance, and cooperate with the supervisory authority. But, more importantly, their main challenge in the data-driven era where data is everywhere is to delegate the organization’s accountability for privacy across all the activities and stakeholders that access and process that sensitive data.
Finding a Way Forward
So what’s the solution to this complex challenge? Ensuring proper data protection, data integrity, security and ultimate compliance requires businesses to first establish a collaborative approach for delegating accountability and responsibilities.
Data governance should be a collective responsibility. Based on a data-centric shared platform, IT needs to turn everyone in the company who has to deal with sensitive customer or employee data into an agent for better data protection.
There’s also the opportunity to set up an information hub where all the data that needs to be monitored can be captured, discovered, documented, harmonised, reconciled and shared. And this is the concept of the data lake that many companies are implementing today to get a 360-degree views of their data subjects, their customers, employees. The beauty of the approach is that regardless of whether the lake is housed on premises, or in the cloud, it provides a centralised repository that the business can use to store significantly more information at a lower cost, and a collective resource that employees can work on together to extract insight from.
That’s where modern data integration platforms can be key in helping achieve GDPR compliance. They allow organisations to quickly gather all the data that relates to a subject – a customer, an employee – in the data lake. Then, they draw the relationships between the disparate data points into a reconciled view where data is harmonised and can be tracked and traced across the information supply chain. And finally, a data governance layer can be established on top, facilitating new data policies required by regulations such as GDPR, such as anonymising sensitive data whenever needed, and, through data stewardship, delegating accountability to the people that know the data best.
Good data stewardship and governance are not just about keeping in line with the strict letter of the regulatory law, though, it’s also about unleashing access to trustworthy data across individual business units, thereby helping to drive productivity and ultimately competitive advantage. What we’ve described in the above might sound familiar: it is all about building the 360-degree view that many consider as the ‘nirvana’ of our digital age. The bad news, now with GDPR, is that it is no longer a ‘nirvana’ but rather a mandate that’s worth a fine that, once the regulation goes live, could equate to as much as 4% of your global revenue if you fail to comply. The good news is that platforms have evolved to empower your organisation to meet this goal while helping you to reap all the benefits of this new goldmine: namely, the precious data that you can leverage to transform your customer experiences and your business.