If you work with data for a living and don’t know about the European General Data Protection Regulation (GDPR), it is time to educate yourself on this hot topic. If you work with European data, you absolutely need to know about the upcoming changes in privacy laws. Seriously, GDPR is the most significant change in data privacy regulation in 20 years. In the United States, we can be oblivious at times getting caught up in our own little bubbles. So, I’m going to burst bubbles and share need to know basics with you. I’ll follow up with more detailed strategic and tactical articles in the coming months.
What is GDPR?
Analytics experts beware, GDPR is a massive data privacy change that is going to shake up a lot of companies…including my teeny tiny one that does work with European customers. This regulation may require huge changes to your current personal data management, analytics and reporting practices. Even simple things like social media data management, customer profiles and mass email are likely going to require extra hoops to jump. Most of the analytics landscape is subject to GDPR requirements.
You’ll soon need a legal basis to justify collection and processing of personal data. Consent must be “freely given, specific, informed, and unambiguous.” This will impact artificial intelligence, reporting, self-service BI, data warehousing, master data management, customer 360 projects, personalization and a myriad of line of business applications.
Unlike privacy laws in other jurisdictions, the GDPR is applicable to organizations of all types and sizes located in and outside the EU. It is due to take effect on May 25, 2018. Although compliance is not a fun topic, GDPR demands your time and attention. Penalties for non-compliance are severe. Your organization can be fined up to 4% of total global annual turnover or €20 million. Do I have your attention now? I hope so.
If your company follows IT best practices or industry standards (PCI DSS, SAN Top 20, ISO 27001, etc.), GDPR shouldn’t be too overwhelming. One way to describe the GDPR is that it simply legislates a lot of common sense data security ideas, especially from the Privacy by Design school of thought: minimize collection of personal data, delete personal data that is no longer necessary, restricts access, and secures data through its entire life-cycle.
I’ll keep this article short and sweet since I just wrote about the GDPR basics, “What Analytics Pros Need to Know about GDPR” for InformationWeek. In that article, I provided tips to get you started. I’ll be sharing more details here soon.
In the Meantime
You’ll need to get executive sponsorship for projects to put new processes in place to record data collection consent, discover, audit, organize, govern, secure and delete data. For business applications and data warehousing processes, deleting personal data is an unusual event that may never have even been considered in the past. Getting GDPR-ready does require a holistic approach with cross-functional expertise, changes to enterprise-wide processes, and possibly acquiring new tools.
To begin preparing for GDPR, read and understand the GDPR regulation. From there, explore GDPR Ebooks, preparation toolkits and other resources that are already widely available if you simply search for them.
If you can’t find detailed information, ask your data and analytics solution vendors for this material. Top analytics vendors have developed guidelines, kits, questionnaires, and sample reports that can expedite your GDPR compliance project tasks. Essentially while you are getting up to speed, be thinking about four key topics.
- Data classification – Know where personal data is stored on your system, especially in unstructured formats in documents, presentations, and spreadsheets. This is critical for both protecting the data and also following through on requests to correct and erase personal data.
- Metadata — With its requirements for limiting data retention, you’ll need basic information on when the data was collected, why it was collected, and its purpose. Personal data residing in IT systems should be periodically reviewed to see whether it needs to be saved for the future
- Governance – With data security by design and default the law, companies should focus on data governance basics. For unstructured data, this should include understanding who is accessing personal data in the corporate file system, who should be authorized to access, and limiting file permission based on employees’ actual roles – i.e., role-based access controls.
- Monitoring — The breach notification requirement places a new burden on data controllers. Under the GDPR, the IT security mantra should “always be monitoring”. You’ll need to spot unusual access patterns against files containing personal, and promptly report an exposure to the local data authority. Failure to do so can lead to enormous fines, particularly for multinationals with large global revenues.
Here are a few links to free resources to check out. I’ll share more with you as I learn more myself. If you know of an excellent resource, please share it with me. Thanks.
- Official GDPR website http://www.eugdpr.org/
- New GDPR-ISO27k mapping to achieve compliance with the EU General Data Protection Regulation – contributed by the ISO27k Forum
- Nymity specializes in data privacy compliance – preparation intro
Data catalog solutions are fantastic for GDPR. Ask your information management platform vendor about it or check out the strong niche vendors in this space including but not limited to Datawatch, Talend, Informatica, SAS, SAP, IBM, TIBCO, Alation, Waterline Data, Collibra, and OneTrust.
More to come soon…I promise.