The 6 Pillars of the GDPR (Part 2 in a Series)
The new General Data Protection Regulation has a lot to say about how enterprises must protect individuals' personal data.
On May 25, the EU implemented the General Data Protection Regulation, generally known as GDPR.
This new set of regulations is all about information governance and the rights of EU citizens (data subjects) regarding their personal information held or processed by organizations.
The GDPR is built on six key principles:
- Data minimization
- Storage limitations (data retention)
- Lawfulness, fairness, and transparency
- Integrity and confidentiality
- Purpose limitations
The first two have the greatest impact on BI systems and were discussed in the first article in this series. Now let's examine the remaining four principles.
Lawfulness, Fairness, and Transparency
An individual -- also known as a data subject -- has certain rights. Specifically, the:
- Right to rectification: The individual has the right to have inaccurate personal data rectified
- Right to be informed: Individuals have the right to know about the personal data collected and processed about them
- Right to access: An individual can confirm that their data is being processed; individuals can access their personal data
- Right to data portability: Individuals can obtain data about themselves that a data controller holds, and the individual can reuse that data for their own purposes
- Right to erasure (Right to be forgotten): Individuals can request erasure verbally or in writing; an enterprise must respond within one month; this right can be overridden if the enterprise has a legitimate interest to process that data (e.g., an insurance company that needs the data for fraud detection or an enterprise with a legal obligation to keep certain records for a minimum period)
- Right to object: Based on grounds relating to his or her particular situation, an individual has the right to object to processing (meaning any operation or set of operations that are performed on personal data)
- Right to restrict processing: An individual has the right (on certain grounds) to request the controller to restrict processing of their personal data
- Rights relating to automated decision making (robots), including profiling: The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is made without human intervention
Integrity and Confidentiality
When it comes to keeping data private, the GDPR requires that your enterprise pay attention to three particular areas.
Data at rest. Personal data should be locked down with secure access controls such as the use of roles and passwords. If you have a data warehouse containing personal information, this should be secured so that access is strictly limited. Within the warehouse itself, further levels of security may be required to protect areas of particular sensitivity. For example, an HR data warehouse may be required to further restrict access to information about employees' medical conditions or union membership.
Data in transit. Personal data in transit should be transferred via secure networks such as secure file transmission protocol (SFTP) or encrypted. Moving an individual's personal or sensitive information between sites or transmitting data to third parties must be done securely. Under previous legislation (pre-GDPR), EU companies have been fined for the dreaded "laptop lost on public transport" containing customers' personal data. Today many organizations have their staff laptops encrypted.
Data breach. Businesses must report certain types of data breaches within 72 hours of detection. It has been hard to determine just how many data breaches businesses have had over any particular time because, quite understandably, organizations are reluctant to admit to a breach, particularly when it relates to their customers' personal data. In some instances, when an organization has admitted to a breach, the announcement was made weeks or months after the event. The GDPR insists that a breach must be reported as soon as it is detected (within 72 hours); should the breach be likely to adversely affect an individual's rights or freedoms, the individual should be notified.
Do you have a single source of truth? The accuracy (or inaccuracy) of management information and data used in analysis has been the source of much contention for business intelligence professionals. Accuracy is no longer a "nice to have" feature. The GDPR brings the data quality of personal information into the realm of compliance. This aligns well with the individual's "right to rectification." Accuracy is a relative term and at times hard to measure; it is perhaps more important to identify inaccurate or misleading information and manage the accuracy of individuals' personal data through a series of steps:
- Verify the source of the data
- Validate the accuracy of personal data you obtain
- Employ processes to accept challenges to accuracy and apply changes where necessary
As part of the GDPR, your organization is limited to using personal data only for your original, stated purpose, for which you must have a legitimate interest. There are two parts to this principle:
Purpose specification. Data must be collected for specified, explicit, and legitimate purposes only. If your company sells floor tiles, you have a legitimate purpose in storing clients' name and contact details for administering their account and deliveries. You don't, however, have any legitimate purpose to collect their medical information.
Compatible use. Data must be processed in a way that is compatible with those purposes. This is more about transparency and lawfulness in how an individual's data is processed by your organization. You should be clear as to how your customers' data will be processed and not divert from that in a way that is incompatible with your original purpose.
Getting and Staying Compliant
In Part 3 in this series, we'll look at one data-focused technology enterprises are using to become (and remain) compliant with the GDPR.
Rod Welch is a BI consultant with the breadth and depth of experience gained from over 15 years in the BI environment from agile requirements gathering and dimensional modeling to ETL programming. In addition, he has a keen interest in agile and automated data warehouse development and the move to cloud storage. He is currently contracted to a U.K. insurance company to assess the impact of -- and define the detailed requirements for -- implementing GDPR. You can contact the author via email or via LinkedIn.