Five Ways to Reduce GDPR’s Impact
By John Morrell
In April 2016, the European Commission ratified the General Data Protection Regulation (GDPR), which covers the capture, control and consent to use personal information. The May 25, 2018 deadline looms ahead. Are you ready?
GDPR has the potential to uproot the many ways organizations manage, protect and use customer data. This is especially true in the context of big data analytics, where many initial use cases are focused on customer analytics.
What is GDPR?
GDPR is a regulation created by the European Parliament, the European Council and the European Commission to toughen and combine data protection for individuals inside the European Union (EU). It creates a single set of rules to govern the use of personal data, regardless of source and across all uses.
GDPR broadens the scope of personal privacy laws to protect the data rights of EU citizens. It’s important to understand that GDPR is not limited to organizations based in the European Union. Whether you’re a EU-based business or not, if you have customers in the EU you will be affected.
To be in compliance with GDPR, organizations need to implement measures to protect data, demonstrate processing activities and conduct impact assessments. This requires that data protection measures are designed into the development of business processes for products and services.
Lack of GDPR compliance can come at a hefty cost. Fines could be levied up to 20,000,000 EUR or up to 4 percent of the annual worldwide turnover of the preceding financial year. That’s not all. Think about the soft costs of a brand’s reputation if it suffers from non-compliance.
What is GDPR’s Impact?
GDPR affects all personal data and changes the way entire organizations interact with Personally Identifiable Information (PII). All customer data gathered from the ecosystem applies to GDPR, whether it is willingly provided or gathered by automated systems.
This also includes PII data stored and used in data lakes and big data analytic platforms. GDPR explicitly extends personal privacy regulations to include decisions or actions organizations make on an “algorithmic” basis.
An important distinction that GDPR adds to privacy laws is that valid consent must be made by an individual for both the collection of data and the use of the data. This consent can also be revoked at any time, and individuals have a right to be forgotten, or erased from the systems. To be in compliance, analytics must capture this consent and continuously monitor for these scenarios.
With GDPR, organizations will need to dig deeper into their data lakes, big data analytics and how they use the analytics to ensure compliance with the regulations. Let’s look at ways in which big data customer analytics will be affected, and how you can minimize the impact.
1. Increase Discovery on Customer Data Assets
With all the new GDPR rules, a fresh round of data discovery on your customer data assets is critical, particularly to identify what assets exist and the characteristics of those assets. Specifically, you need to understand:
- Where did the data come from? Trace data to its source and the various resting spots.
- How is it used? Don’t just see how assets are transformed, but what derivatives are taken and processes it is delivered to.
- Is consent granted? Identify whether consent was asked, given or even revoked for both the data and the downstream uses.
This is a combination of exploring the data itself and the lineage of the analytic processes where the data is used.
2. Operationalize Compliance
As mentioned previously, your analytics will need to take into account new consent rules, the fact that consent can change at any time and requests can be made for removal. This requires:
- That analytic models examine whether the individual has given consent for the use the analytics are driving and filter out personal data where it was not granted
- Creation of data retention policies that look for data where removal requests have been made and erase the data
The new analytic models and data retention must then be operationalized to comply with the mandates.
3. Increase Security and Governance
If you have not already done so, examine the security and governance for all of the customer assets and analytics where they are used to ensure protection. As needed, do the following:
- Make sure the analytic platform is integrated with your enterprise security systems to lock it down from an access control standpoint
- Apply encryption and masking to the customer data to ensure its privacy through the analytic cycle
- Apply proper security policies to the various forms of data as it flows through the analytic cycle
It’s critical to take a holistic approach to securing customer data across the entire information lifecycle as it goes from raw data to intermediate forms to final results.
4. Monitor for Compliance
With the variety of rules involved, monitoring for GDPR compliance can quickly become complex. Data gets scattered. Analytics change. Jobs run continuously. To get ahead of the game, you should:
- Ensure you have complete, end-to-end lineage for each of your analytic processes that use personal data
- Set up the ability to monitor all the processes involved, including access to data, execution of analytic jobs and security applied at different points
- Put in place automated rules to control how personal data is managed and retained, and ensure these rules examine consent and erasure options
This will ensure you have the proper controls in place to maintain GDPR compliance.
5. Prove Compliance
Lastly, you will need to continuously prove you are in compliance with GDPR, which requires the ability to report and audit what’s happening with personal data. Gathering this information manually can be time-consuming and tedious.
Smart organizations are consolidating information about GDPR processes in central repositories, cataloging solutions or IT control systems. Set up connections from your analytic platform to export information to these systems, including:
- Full lineage
- Information on data sources
- Metadata on the analytic models
- Logs of job execution
- Logs of security policies
This will provide a complete audit trail of information to create an easy, extensive GDPR compliance reporting process.
GDPR has the potential to place great burdens on organization on how they manage, secure and use personal data. Using personal data in big data analytics is no exception and needs to be incorporated into your GDPR strategy.
Does your big data preparation and analytics platform have all the critical capabilities to help keep you in GDPR compliance and reduce the burden of compliance reporting and auditing processes? Download your white paper to learn more about how to apply GDPR compliance to your analytics and the critical capabilities you need to do so.
This article was originally published on the Datameer blog.