GDPR. Am I bothered?
April 2018
There are plenty of articles on how to work towards GDPR compliance. This isn’t one of those.
In the past twelve months, I have witnessed a significant spike in demand for enterprise-wide data governance expertise. Eye-watering potential fines have driven an increased commitment to data governance at board level. The negative business impacts of under-investment are now being appreciated and this may turn out to be a positive long-term effect of GDPR.
At the same time, data exploitation for greater customer insight – whilst maintaining customer trust -is also right at the top of the executive agenda. This arises from pressures such as customer retention, cross selling, risk measurement and regulations such as Know Your Customer. Government departments and agencies have different objectives of course but budgetary pressure is placing a greater focus on insight to eliminate fraud and waste.
The environment is therefore ideal to consider solutions which tackle both of these challenges. If GDPR is a looming cloud, it has a silver lining.
Senior executives face a stark choice between tick box compliance across sprawling legacy data estates, or investing in contemporary data platforms that provide greater security, transparency and control of personal data. There is a tremendous opportunity to create new value from integrated personal and behavioural data sets but more than half the battle with implementing a new customer insight solution comes back to governance: understanding what data is available and creating an accurate, consolidated view of customers – two of the main GDPR challenges.
Technologies such as master data management and micro-services architectures allow organisations to maintain customer data properly and deliver a single customer view in real time. However, they need to be complemented by solutions that allow for analytics at scale in order to deliver depth of customer insight. Some advanced analytical techniques we use at Kainos by their nature require all the data to be in one place – typically a data lake – and traditional Business Intelligence workloads benefit from the same principle. Change Data Capture technology has matured to allow raw data from legacy applications to flow seamlessly into the lake without imposing change or extra load on those systems. Crucially, an enterprise data platform can form a big part of the GDPR answer – for example by surfacing all the line of business applications where data for a particular customer resides.
Regardless of approach, the first significant roadblock to navigate (once the boundaries of GDPR regulated data have been understood) is the determination of where personal data actually resides across the corporate estate today. On a recent GDPR expert panel discussion the consensus view put this at 30-40% of the overall challenge. A wise sage described this as ‘data archaeology’, carefully picking over the foundations of aged platforms and the dried-up bones of old spreadsheets to piece together the story of where personal data has evolved. During this discovery process, archaeologists will come across buried treasures such as system catalogues which can be curated and maintained as artefacts for compliance purposes. It is important to build on these and ensure they are integrated into a data governance operating model.
A key part of the GDPR challenge is proving compliance. That’s where a strong enterprise information management (EIM) technology capability can help support data governance. EIM platforms address concerns such as data lineage, data quality measurement and auditing. A recent survey of data leaders in the UK revealed that EIM tooling is a higher investment priority than any other type of data technology, and it’s easy to understand why. Putting these types of measures in place goes part of the way to proving a ‘path to compliance’ – a common way of mitigating the risk of missing the compliance deadline.
Once you’ve successfully navigated these roadblocks, you will know where your personal data resides, be able to take measures to protect it and assess the impact of a breach. You can query, correct, export or erase it and can prove you are able to – if the data is located and governed properly. This covers a number of GDPR rights such as the right to be forgotten. The remaining personal rights under GDPR relate to how data is processed and to whom it is passed. These issues will impact different organisations in very different ways and have sometimes complex legal implications. Different industry bodies are drawing up guidelines for members and government departments are producing policy for their agencies; we are also waiting on case law to define the meaning of some of the GDPR wording.