Think Globally When You're Managing Your Data Locally
Companies in the U.S., Canada, Mexico, and elsewhere might not be thinking about the European Union's General Data Privacy Regulation, but they should be.
- By Steve Swoyer
- September 6, 2016
Grant's Pass, Oregon, is a long way from Brussels, Belgium, the seat of EU government -- 5,280 miles, to be precise -- but the European Union and its upcoming General Data Protection Regulation (GDPR) dominated the discussion at the 15th Annual Pacific Northwest BI Summit.
In his BI Summit presentation, research analyst Mike Ferguson, a principal with UK-based Intelligent Business Strategies, addressed the GDPR, which is slated to take effect in 2018.
New Regulation Will Affect Global Data
Companies in the U.S., Canada, Mexico, and elsewhere might not be thinking about the GDPR, but they should be, Ferguson argued. Its data privacy regulations will obviously affect any organization that does business in the EU. Global business is by definition interconnected, which means the GDPR will affect organizations that don't have a business presence in the EU, too.
"There are some significant technical and other reasons that are preventing data from being consolidated or brought [in]to a central location for analysis," Ferguson told attendees. "The broad reason ... is the conflicting legislation in different jurisdictions [with respect to] data privacy. This makes it illegal to bring certain kinds of data together or to store [data] in certain ways."
Exhibit A is the GDPR, which not only governs what data companies can collect about EU citizens, but what they can do with it, how they can store it, where they can store it, and -- no less important -- under what conditions they can retain it.
Data Privacy Enforced with Fines
Core to the GDPR is a "right to erasure" provision, which formalizes a process whereby people can formally petition an organization or Internet intermediary (including search engines such as Google or Bing) to purge their data.
The GDPR isn't just a new draconian regulation, Ferguson noted -- it's a new draconian regulation with teeth.
Failure to comply could cost companies up to 4 percent of their global revenues, according to GDPR guidelines. "It's something of a ticking time bomb... It's analogous to a Y2K-thing, where there's going to be a rush to comply by the [May] 2018 deadline," Ferguson told Upside.
In other words, it's a challenge that companies -- in the EU, the Middle East, Africa, Asia-Pacific, and of course, the Americas -- are not prepared for.
Will Governments Regulate Global Business Data?
In fact, data privacy regulation will be salient for organizations of every size in every region, argued Michael Whitehead, CEO of WhereScape, a company that develops automation software designed to accelerate data warehouse and analytics development.
Because of legislation such as the GDPR, Whitehead said, national governments are newly interested in issues (such as data privacy and data retention) normally associated with data governance.
The problem, said Whitehead, is that legislation such as the GDPR constitutes a kind of de facto trade barrier, one that -- because of its Byzantine complexity -- is even more daunting than the physical trade barriers governments are used to haggling over. "It's essentially the first time I've ever seen a government take an interest in data governance. They're used to negotiating over borders and tariffs, not privacy regulations," he said.
"I think what we're going to see is that the different countries or trade blocs are going to formalize data privacy regulations that hew -- loosely or more closely -- with [GDPR]," he said, citing discussions WhereScape has had with the government of New Zealand.
"The idea is that if I have a set of regulations in place about data and you don't comply with those regulations, then you can't have any of my data. What we're looking at [in New Zealand] is aligning things like privacy and security with [the requirements of] other jurisdictions, so that to meet the New Zealand standard for data security is to meet the EU standard for data security. The idea is that you don't have to go and figure out every single country's requirements, the governments will figure those out themselves."
Metadata and Data Management Must Improve to Stay Compliant
Donald Farmer, vice president of innovation and design with Qlik Inc., broached an especially intriguing idea. First, the backstory: if you're a multinational corporation, Farmer noted, you can't help but plan for the GDPR.
"[Companies are saying] we're not going to do things that metadata cannot manage, because the regulations are so punitive that we can't afford to [make a mistake]. So I'm going to create a metadata map and that had better represent my business, not because the [metadata] technology is better, but because I can't afford to be outside [i.e., to have business activities that aren't represented in] that map."
"It could be that you're going to find that metadata can succeed now where it failed before ... because the problem has changed," he said.
The challenge, he continued, is that managing data is harder than ever. It isn't just that the technology really isn't any better; it's that data sources are more numerous, diverse, complex, and geographically distributed than ever. Especially in large organizations, it can be impossible to manage data (and, by extension, to safeguard sensitive data) so as to be in compliance with the GDPR.
Diversification as a Solution?
Farmer also related a story about a conversation he'd had with an enterprise architect from file hosting service DropBox.
"Under European Union regulations, they have to be able to ensure that something is deleted. They have to be able to prove that it's deleted. That's incredibly difficult when you've built all of these self-replicating redundant data sets and they're distributed all over the enterprise," Farmer noted.
"The [data architecture] diagrams you [usually see] are all about pushing data out. Nothing [has to do with] how do you track back through the whole system and ensure that data doesn't exist anymore," so organizations will increasingly employ an organizational trick, Farmer argued.
"Innovation is going to occur by [virtue of] companies splitting off. They're going to have to diversify into smaller companies in order to cover their risk -- or make that happen [organizationally]."
"You'll find a company taking a data set and rather than doing new work within this bank, actually 'selling' that data to a wholly-owned subsidiary. They're going to create data governance air gaps between companies in order to make metadata management [manageable]."
Attendee Merv Adrian, a vice president with Gartner, was skeptical.
Adrian restated Farmer's argument: "Your thesis is that the regulatory environment is changing things in such a way that companies will not do things that are ungovernable." Farmer agreed -- that's his position.
"I don't believe that in a minute. I think [companies in some regions will] find other ways," Adrian rejoined, noting that several countries have shown a consistent willingness to disregard economic norms or trade regulations/agreements.
In a follow-up interview, Farmer said that although he can't yet cite any examples of this kind of reorganization, he anticipated companies would experiment with it as a "legal get-around" -- if only to mitigate their exposure to the punitive mechanisms of regulations such as the GDPR. There's always a market for new tax shelters, after all -- until tax authorities start sniffing around.
Whether enterprises reorganize, consolidate their metadata systems, or expect their governments to create additional local guidelines, businesses around the world will have to come to grips with the GDPR sooner rather than later.
Stephen Swoyer is a technology writer with 20 years of experience. His writing has focused on business intelligence, data warehousing, and analytics for almost 15 years. Swoyer has an abiding interest in tech, but he’s particularly intrigued by the thorny people and process problems technology vendors never, ever want to talk about. You can contact him at firstname.lastname@example.org.