Empowering the right employees to maintain GDPR compliance
Unless you live off the grid, you have probably recently received a flood of notifications from companies worldwide about updates to their privacy policies. These are the result of the launch of Europe’s new personal data privacy rules, the General Data Protection Regulation.
The high-level goals of GDPR are things that most companies would support in the abstract, notably privacy controls for customers, and a single clear set of government policies for sharing data across European countries. Like it or not, GDPR is critical for most companies: the penalties for being out of compliance can be enormous.
Now that the date for policy announcements has passed, the ongoing work begins: companies must make sure they are “walking the walk” with respect to data privacy.
As any company with a significant customer base knows, this is a complex and expensive undertaking. The responsibility to manage personal data in a compliant manner spans numerous tasks, including discovering where Personally Identifiable Information (PII) actually exists in your data, transforming data for GDPR compliance (e.g. via masking, pseudonymization or encryption), identifying all “flows” of the raw PII data into processes and assessing whether those processes violate the principles of the agreement.
Achieving and maintaining the goals of GDPR requires more than changes to software; it also requires appropriate alignment with people and processes.
In our experience, compliance is best achieved organizationally via a balanced collaboration between your domain experts (who understand your customer data) and the maintainers of your central data governance function (who understand your data stores and data pipelines).
To that end we recommend two important best practices to help your organization get on the road to maintaining GDPR compliance.
Enlist your domain experts to get the right eyes on the right data
PII can vary widely in its representation across use cases: e.g. customer IDs, web cookies, avatars, etc. Software can help surface certain PII automatically, but in many cases only a human who understands how the data is used in your organization can say whether a particular string of digits or letters is a personal identifier.
The key here is to empower the people who know the data best to assess it and transform it as needed for compliance. This is a task that may be best handled outside of your core IT organization.
Establish governed flows on data going forward
Most sizable organizations have IT staff who oversee the governance of data across many users. These people need to be empowered to see what data is being accessed, how it is being used and prepared for GDPR compliance, and where it is flowing.
To make this possible, it is important to identify and remove isolated desktop data tools and the dangerous practice of potentially sensitive data “replicating like bunnies” into laptops and private servers.
Legacy spreadsheet software is often the most common example of this phenomenon, but standalone tools for data preparation and analytics can also cause trouble. The activities traditionally done on these tools should be shifted to newer solutions that work on centralized, managed data stores, respect centralized access control, and provide centrally visible monitoring and auditing.
Robust data preparation solutions should balance the needs of self-service and governance. They should make data preparation simple and intuitive for domain experts, while enabling robust administrative oversight of data content and usage by IT staff. They should avoid data replication in storage: data needs to remain in its “native habitat” in file storage systems or databases, governed by the established access control policies enforced on those systems.
This combination of considerations—end-user self service and centralized governance—makes data preparation platforms a natural fit for companies that want to make sure that they go beyond public privacy announcement, and get their business on track with the ongoing requirements of GDPR.