Winning at GDPR’s greatest challenge: The right to erasure
Surveys show that the greatest compliance challenge of pending General Data Protection Regulation is Article-17: Right to Erasure.
The first step for compliance is to locate ALL of the source records for the customer, regardless of nicknames, abbreviations, spelling variations, typos and data quality issues. Many organizations are overly confident in their ability to accomplish this because of past, often massive investments in creating a “single customer view” (SCV) which, in theory, has already identified and linked all the related records for each customer.
The SCV can be implemented on a variety of platforms such as customer relationship management (CRM), master data management (MDM), marketing customer information file (MCIF), customer data platform (CDP) and other data consolidation platforms. In fact, many companies have multiple, conflicting SCV instances by maintaining multiple platforms such as a CRM and MDM system. So it’s natural for senior executives to assume that problem has been solved and GDPR compliance should be straight-forward based on those systems.
SCV’s GDPR Problem
But all of these current SCV systems share a common problem for GDPR compliance. That problem is the fact that their original business requirements for configuring their fuzzy match algorithms are traditionally skewed to err heavily on the side of “false-negative” match errors (incorrectly not matching records from the same person when low confidence) to minimize the risk of any “false-positive” errors (incorrectly matching records from different people).
Configuring the fuzzy match engines of all these platforms is basically the process of determining the appropriate balancing point between false-negative vs. false-positive match errors. The “identity data governance” process of business users and data stewards defining “match success criteria” is driven by assessing the business impact of the various kinds of match errors to identify that point of balance. Then the technical team executes various match fine-tuning test iterations to determine the precise technical configuration of the match engine.
In order to comply with past regulations such as healthcare’s HIPAA, that balance point has necessarily been at the extreme end of false-negatives. That is, “better to allow a million false-negative match errors than risk a single false-positive.”
GDPR Moves the Match Goalposts
But the business requirements for GDPR compliance are significantly different than traditional SCV fuzzy matching. Conceptually, GDPR “moves the match goalposts” to the other end of the spectrum by imposing tremendous penalties for right to erasure failures. It is not acceptable to erase “most” of a customer’s records – you must reliably erase ALL of a customer’s records.
GDPR dramatically increases the business impact of false-negative errors. No longer is the business impact limited to minor problems such as some contacts receiving duplicate mailings. With GDPR there can now be hefty fines associated with those errors.
You Can’t Erase What You Can’t Find
It’s easy to get people to agree conceptually with the point that one can’t erase what one can’t find. However, it’s also natural for people to rigorously defend the success of past CRM, MDM and other SCV projects. The temptation is very strong for people to underestimate and dismiss the scope of the risk faced by the organization.
CRM vs MDM SCV Match Conflicts: Deeper than Total Customer Counts
A simple test to challenge these risk assumptions is to simply how many total customers are reported by your CRM vs MDM platform? Those numbers likely differ, and often can differ substantially. Even small total customer count differences hide surprisingly extensive match conflicts – especially for “wealth management” and other VIP customer segments which have more records and data quality complexity, and thus greater risk of impacting operations, analytics, marketing and compliance failures (KYC, HIPAA, GDPR, etc).
For example, a 2 percent total customer count difference was found to be the net result of match conflicts impacting over 25 percent of source records.
The next question should then to be to ask how the total false-positive errors compare between the two systems. Those numbers may not even be currently tracked by your organization. In other words, a massive area of risk is not even being monitored. News of this oversight will immediately raise the alarm amongst your organization’s governance, risk and compliance (GRC) team.
Governance, Risk and Compliance (GRC) Colleagues can Help
The good news is that you have a number of colleagues that can help, specifically in the field of governance, risk and compliance with titles such as chief privacy officer, chief internal auditor, chief compliance officer, chief counsel and data protection officer (a new position required by GDPR for large organizations). These people are empowered with the authority and budgets to elevate your GDPR risk analysis to the appropriate level.
Audits Are Your Friend
One of the most important steps an organization can take is to do a “GDPR gap analysis” of the false-negative errors for their current SCV platforms. Even rough order of magnitude (ROM) metrics can provide key information such as if the level of risk is on the order of just a few thousand records – or millions? Those metrics can then be used to more effectively prioritize and allocate your GDPR compliance resources.
For example, in just a couple days an in-depth comparison of your CRM vs MDM match conflicts can generate detailed conflict metrics that can provide a strong indication of the degree of potential false-negative errors. And that kind of analysis can often be done without accessing personally identifiable information (PII) and thus avoid the typical kinds of legal and administrative delays that would often be encountered to access PII.
The resulting GDPR gap analysis framework also provides a reusable infrastructure to evaluate any reconfiguration that may be required of your current SCV match platforms to create a “GDPR identity hub” and enable more reliable compliance – and also demonstrating appropriate due-diligence to the ICO for any future compliance audits they might conduct at your organization.