GDPR is almost here. After years of discussion, negotiation and preparation, the General Data Protection Regulation goes into effect on May 25, 2018. So … are you ready?
Compliance chiefs should already know all there is to know about GDPR, but that’s not the only issue. This is such a broad mandate that it requires the participation of multiple constituents within each organization doing business in or with the European Union. So for the uninitiated (and that’s hopefully a small number), here’s a quick topline view.
GDPR seeks to ensure that citizens and residents of the EU can take control of their personal data. It replaces the Data Protection Directive, which goes back all the way to 1995, a couple of decades and many digital generations ago. It challenges business practices that involve the export of personal data outside the EU, and because it doesn’t require enabling legislation from national governments, it is broadly binding and applicable.
By now, most organizations have likely identified the process changes they need to ensure compliance (if not, you better hurry). The goal now is a quick look back — have all the necessary boxes been checked, or are some remedial measures necessary? And that gets us to the most important question: What comes next?
First, GDPR is a welcome reminder compliance only comes with a high level of awareness and a comprehensive data management strategy. Many companies have their data scattered across multiple networks and lines of business — the only way to keep up is to collate all data from internal, external and third-party sources.
If that sounds overwhelming, here’s just a sampling of what is required:
• Identifying all systems managing customer data
• Blending different types of data
• Understanding data ownership
• Identifying data shared outside the organization
• Maintaining data lineage across all customer attributes
• Managing different types of consent, and their sources
• Providing customers a way to make data-related requests
• Deploying processes for required data access, change and deletion
• Putting a mechanism in place for timely reporting in case of a data breach
To be clear, that’s only a quick sample of requirements — the real design depends on your business. Going just one level deeper, it means correlating omnichannel transactions to customer master records and understanding, for example, how each customer is related to other members of a particular household and whether those disparate household members have consented to their data being used and for what purpose. It also requires maintaining the data lineage to data sources and tracking to downstream applications so we know from where a customer profile attribute came and which applications are using it. That might get you to the right to be forgotten stipulation: Under GDPR, individuals are entitled to data erasure, which means that at their request, all traces of their information must be purged, including legacy transaction data that might reside in activity logs. In sum, this mandates a comprehensive customer profile with a 360-degree view that can accommodate data-change requests and the ability to generate compliance reports fast.