GDPR presents perfect opportunity to rethink data architecture
A lot of ink has been spilled on the General Data Protection Regulation that went into effect in the European Union on May 25. But despite two years of build-up to the event, a majority of organizations were still not prepared for the new data privacy mandate when it went into effect, according to most surveys.
For those organizations still wrestling with compliance, this law has broad implications for companies, impacting data practices, customer relations, and, of course, IT departments.
GDPR imposes requirements on companies when collecting, maintaining, and using personal data and will empower EU citizens in some of the following ways:
- Right of Access & Data Portability – Individuals may request and view data a company has on them (including derived data compiled on behavior and engagement) in a portable format so that it can be transferable from one company to another.
- Right to Be Forgotten – Individuals may request the removal of personal data including profile, transactional history, or simply their digital trail.
- Privacy by Design – Companies must implement privacy by design in their systems and do their utmost to protect personal data.
- Data Breach Notification– A company may have to notify the applicable EU country’s designated Data Protection Authority within 72 hours of discovering a data breach and inform data subjects.
Here are just a few questions that enterprises who want to adhere to GDPR must answer:
- Do I know where my customers’ personal data resides in my systems and do I have access to all of it?
- Can I retrieve an individual’s information and present it in a timely fashion?
- If necessary, am I able to support a request for the “Right to Be Forgotten?”
- What adjustments do I have to make to support all of the above?
Every company needs to assess the impact of GDPR on its data architecture, visibility over their customers’ personal data, and the security, privacy and integrity of that data.
A Seven Point Data Assessment for GDPR Readiness
There are seven key areas to consider in looking at one’s data architecture:
- Identify data assets by tracking data stores and their respective schemas, definitions, types, sizes, and inter-dependencies. Customer data can be in various places including direct customer data and respective transaction history in relational databases, archived records in an enterprise data warehouse, and ancillary behavioral data in Distributed File System stores (e.g., Hadoop, Cloud Storage such as S3, etc.).
- Identify external data sources. If you use third-party data for enrichment of existing customer data, you need to consider data flow and how data is used internally. Attributes that would enrich an individual’s profile are considered part of personal information (demographics, psychographics, etc.), and fall under the “Right to Access” and “Data Portability” use cases.
- Analyze data flow and lineage. Review the overall data flow and lineage to ascertain where customer data lies, especially the primary customer identifiers, and sensitive personally identifiable data. Review where all personally identifiable data flows and if any flows out to applications (home-grown or SaaS such as email marketing), analytics tools, and data stores, etc. To better assess the impact of deleting large volumes of consumer records that could impact your insights and reporting, you need to identify any analytics, BI, and/or reporting systems and their respective users.
- Unify and simplify access. Conduct an access review to determine if all data is available for near real-time response to data exports or “Right to Be Forgotten” requests. If you are unable to create a unified and simplified view, you must perform multiple sequences of operations on different data stores and identify the sequences needed with the respective schema details, as it will help you later when you have a unified layer of access.
- Create a metadata layer. Customer and prospect data may be spread across data stores, from transaction databases to marketing systems, under your control or through SaaS applications. You need to create a metadata layer to help abstract the different data sets and apply the proper restrictions to those considered personally identifiable data.
- Enable data export and deletes. Anticipate requests for the rapid turn-around of data exports and deletes. By undertaking the previous steps, you can execute the necessary queries that will retrieve a customer’s data and safely provide it. Deletes will be harder to execute. While the regulation does not dictate how a deletion is done, you will have to evaluate the different approaches such as a hard delete, garbling out that customer information, or simply anonymizing it.
- Review data retention policies. While it is clear that you cannot delete a customer, you have to consider your company’s data retention policies and how to perform the corresponding deletion requests. With a metadata layer in place, you can tag and identify data sets that are governed by such policies and need special handling.
While GDPR might look like an incredible challenge, it truly creates an opportunity to re-think and modernize the enterprise data architecture, especially in the wake of cloud and big data adoption, by unifying the view or access to data assets and enforcing stricter guidelines for data protection.