The EU General Data Protection Regulation (GDPR) is the most important, and most discussed, change in data privacy regulation in 20 years. Searching for “GDPR” on Google yields 13 million results — six times as many as “artificial intelligence.”
It’s no surprise that GDPR is such a hot topic given some of its primary elements (and their potential impact):
- Broad jurisdiction: applies to all companies that process personal data of EU citizens, regardless of where the EU citizen resides – so American companies, you are not off the hook
- Strong penalties: breaches can cost companies up 20 million Euros or up to 4 percent of their annual global turnover
- Strengthened consent: Consent from data subjects must be given with a clear written purpose for the user to sign off on, and can be easily reversed
- Breach notification: Any data breach that is deemed to be significant must be reported within 72 hours of its discovery
GDPR is complex and important in many ways, and all data management professionals should have a basic understanding of its implications. Because of this complexity, there is no one-size-fits-all solution for companies affected by the regulation. Many companies will fill in gaps by hiring more people focused on compliance, but this won’t scale. Instead, organizations should adopt open, best-of-breed technology that fills these gaps and enables them to manage their data for compliance today and in the future.
A DataOps approach to GDPR
GDPR puts pressure on both ends of the data engineering stack. From the top of the stack, companies need to control and monitor access to customer/employee personal data in all of its many forms. And from the bottom of the stack, more data is captured and stored than ever before — some aggregated, much of it not, and a lot of it you don’t even realize you are capturing.
The five technologies that organizations embracing DataOps for next generation data management should consider as part of their GDPR strategy are: consent management, access management, data unification, compliance management and communication.
Consent Management is an important part of the solution because the consent provisions in the GDPR (as well as other regulations) will put increased risks and liability on ensuring appropriate consent from customers.
- Consent Tracking – manage, track, and demonstrate the appropriate consent from customers and data subjects; it acts as a specific type of mapping tools for the screens and back ends of company’s apps
- Privacy Assessment – provide organizations with extensive and automated information on the latest privacy laws around the world and help them comply accordingly
UK-based Consentric and Pennsylvania-based PrivacyCheq offers IT solutions to provide digital management of personal data consents with machine-readable API and human interfaces for managing data consents based on what (data), who (has access) and why (purpose) dimensions.
Access Management helps a company comply with regulations by controlling when, who and at what level of detail certain sensitive data can be accessed.
- Access Control and Monitoring – controlling and monitoring solutions on who has access to personal data and when it is being accessed, modified or processed. Log of access record can be used for audit purpose
- De-identification/Pseudonymity – helps mask sensitive data so it can be used in data sharing, data science, analytics or research without compromising data privacy
Data Unification answers the simple but challenging question: where is my customer’s personal data?
- Data Discovery and Mapping – using automated processes to discover where relevant data is located and classify the data into different categories (whether they are sensitive or potentially risky), from structured and unstructured sources
- Data Unification and Feedback – integrate and consolidate data sources to create a 360° view of the data subject without affecting the integrity of data source; once change is identified or requested, relevant database will automatically be updated and logged in an organized manner.
Tamr is the leading solution capable of unifying data across many sources and domains quickly, accurately and cost-effectively. Tamr’s services and patented software combine machine learning with human expertise to efficiently handle complex GDPR data issues at scale.
Compliance Management offers software, templates, assessments and compliance strategies to help improve compliance and accountability in data privacy.
- Compliance Assessment – locates risk and demonstrates compliance for regulations across jurisdictions; demonstrates gaps to help the privacy office leverage improvements across the organization and work with regulators to help improve compliance and accountability
- Incident Response – automates processes after a data breach or specific data subject requests; helps the privacy office manage breach report or customer privacy notification quickly
Toronto based Nymity offers software that allows companies to demonstrate accountability and compliance and to report on the status of a privacy program with quantitative metrics. Other companies such as Kroll, Resilient and Radar offer incident response solutions designed to automate processes after a data breach.
Communication is not directly part of data engineering, but it’s an important component. There are Enterprise Communication Solutions applied on internal communication software that provide secure channels for intra-office and B2B communications to avoid information leaks, digital trail of professional communications or other privacy headaches down the road. And there are Website Scanning Solutions focused on providing website and app scanning solutions – driven by Europe’s cookie rules and maintaining compliance in the ad tech space to make sure that companies are not acquiring cookies or online information automatically without consent in place. Both of these capabilities are important to efficiently maintaining compliance.
Some companies may already have in-house communication solutions. There are still companies that may need solutions like HaloPrivacy, Virtru, and Wickr that can provide secure channels for intra-office and B2B communications; or solutions like Cryptzone offer website scanning solutions
With a plethora of tools and potential huge business implications, it is easy to get overwhelmed. Though there is no one-size-fits-all solution for companies affected, the best way to face this challenge is to find structured ways to address the problem.
GDPR is only the beginning of larger discussions about data protection likely to be followed by other international regulations. At Tamr, we believe proactively building a good data handling practice with the best-of-breed technology solutions will not only help companies face the regulatory challenges, but also help getting better business outcomes.