GDPR: Three Areas That Need Your Attention Now
GDPR has arrived. Here are three things your organization needs to do now.
- By David Stodder
- May 25, 2018
Today is an important day for all organizations that store and analyze data about European Union (EU) consumers and customers. With no shortage of bravado, the EU calls its General Data Protection Regulation (GDPR), which goes into effect today, "the most important change in data privacy regulation in 20 years."
The EU's bravado isn't hype. Due to GDPR, organizations must make significant changes in how they use and manage any data that could be regarded as personally identifiable information (PII) about EU citizens. GDPR represents a watershed moment in data privacy that will force organizations everywhere to change how they manage and analyze customer and consumer data and seek to monetize insights based on this type of data.
Although GDPR most directly affects firms based within the EU, the regulation is intended to protect the PII of EU citizens stored and analyzed by organizations based outside of the EU as well. Of course, what gets the attention of CEOs and CFOs are the potential fines; noncompliance could cost organizations 4 percent of their annual revenue or 20 million euros (about $24 million), whichever is higher.
In spite of the attention around the implementation deadline, GDPR is not a single event like the infamous Y2K was. Organizations will need to hire or designate a data protection officer (DPO) to be accountable for GDPR compliance. Organizations will need to set up reporting and auditing capabilities to ensure that the enterprise stays in compliance and can answer inquiries from regulators. To enforce GDPR internally, news reports indicate that many EU-based companies plan to withhold bonuses or benefits from employees who access and manage PII data if employees do not act to ensure ongoing compliance.
The GDPR deadline is coming at a time of rising concerns about data privacy. The high-profile story of the uncontrolled use of Facebook's customer data by (now defunct) partner Cambridge Analytica has raised considerable alarm worldwide. Data breaches continue to be commonplace, even at enterprises that one would expect to be the most advanced in protecting PII, such as credit scoring firms. Consumers and customers are asking questions and demanding better management of their data.
As the Facebook case illustrates, company reputations suffer considerably if they do not appear to be protecting sensitive customer and consumer data. The Wild West days in which social media networks, online retailers, and other firms could collect massive quantities of data from customers (and use it as they wished for data science and data monetization) could be drawing to a close.
Key Areas of Attention Now
GDPR will force organizations to put a more careful focus on how they capture, control, and process personal information. Personal information is defined rather broadly by the EU as "any information relating to an identified or identifiable natural person, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
Organizations must gain "specific and unambiguous" consent from customers to use the data, and the use must be associated with a specific and well-understood business purpose so customers can opt out if they wish. GDPR supplants previous consent agreements gained from customers.
Three primary areas demand your enterprise's attention now.
1. Know what data you have. Your organization should undertake a thorough inventory of its data across all platforms. Typically, customer data is distributed across multiple platforms, including those of third parties. Your organization can be in breach of GDPR if third parties are using your customer data inappropriately. Thus, the first step is an inventory. Use technologies such as data catalogs and metadata management that make it easier to keep track of your data.
Your enterprise will also have to ask itself why it is storing personal data -- a difficult question in this age of big data when collecting and storing any and all data has seemed like a good thing. Your organization may need to change its strategy and store as little personal data as possible to minimize risk of exposure and regulatory violations.
2. Discover who is responsible for the data. Your enterprise needs to know the origins and ownership of all your data as well as how it is being used and transformed. This requirement raises the importance of data lineage and governance. Your organization will need to apply technologies and practices that allow it to track the data's journey from its first collection to how it is transformed and analyzed. GDPR audits will require this capability.
3. Account for how and why data is being processed. This consideration is critical to meeting the consent requirements of GDPR. Your organization must examine how BI and analytics application users are analyzing and sharing customer data, which could be challenging if your organization employs self-service BI, analytics, or data science. A key GDPR regulation is the "right to an explanation," which means that customers and consumers are entitled to know the reasons for a decision based on analytics, such as the denial of a loan request. This aspect of the regulation is the topic of hot debate in the data science and artificial intelligence community because it could seriously impact the use of machine learning. Your enterprise will have to avoid "black box" analytics techniques that do not offer sufficient transparency to explain decisions in human terms.
Governance Is Essential
The increase in attention on data privacy will require organizations to focus more attention on governance and make it part of BI and analytics projects from the beginning, not just an afterthought. GDPR will likely spur interest in tightening data privacy regulations in other regions and countries, including the U.S. With solid governance, organizations will be better prepared to adhere to new regulations.
David Stodder is director of TDWI Research for business intelligence. He focuses on providing research-based insight and best practices for organizations implementing BI, analytics, performance management, data discovery, data visualization, and related technologies and methods. He is the author of TDWI Best Practices Reports on mobile BI and customer analytics in the age of social media, as well as TDWI Checklist Reports on data discovery and information management. He has chaired TDWI conferences on BI agility and big data analytics. Stodder has provided thought leadership on BI, information management, and IT management for over two decades. He has served as vice president and research director with Ventana Research, and he was the founding chief editor of Intelligent Enterprise, where he served as editorial director for nine years.