Interview: Jenni Lloyd on Whether the Future of Tech Can Work For Everyone
By Gemma JoyceOct 22nd
Published May 15th 2017
Data is rapidly becoming the lifeblood of the global economy.
In the world of Big Data and artificial intelligence, data represents a new type of economic asset that can offer companies a decisive competitive advantage, as well as damage the reputation and bottom-line of those that remain unsuccessful at ensuring the security and confidentiality of critical corporate and customer data.
Despite the severe repercussions of compromised data security, until recently, the fines for breach of data protection regulations were limited and enforcement actions infrequent.
However, the introduction of a potentially revolutionary European General Data Protection Regulation (GDPR) is likely to transform the way data-driven companies handle customer data by exposing them to the risk of hefty fines and severe penalties in the event of incompliance and data breach.
In this article, I have tried to summarise the implications of GDPR implementation for data-driven companies, as well as the measures businesses can take to ensure the security and privacy of client’s data and avoid the penalties associated with non-compliance.
The General Data Protection Regulation (GDPR) stands out from all existing regulations because of its breadth of client data protection.
From conditions on cross-border data transfer to the need to implement, review, and update adequate technical and organizational measures to protect customer data, the GDPR introduces several new legislative requirements that will significantly impact the way businesses collect, manage, protect, and share both structured and unstructured data.
I have described a few of the most important ones below.
The GDPR subjects data controllers and processors that fail to comply with its requirements to severe consequences. These consequences, contrary to what most people believe, are not just limited to monetary penalties. Instead, they can potentially damage a business’s reputation and bottom-line.
There are three factors that together make the GDPR the most stringent regulation in the European data protection regime.
To avoid the huge fines and severe penalties, businesses need to have complete and mature data governance in place.
From revising the existing contracts in place to getting a buy in from the key people in organizations, businesses will be required to review their entire data process management approach in order to become compliant and mitigate reputational and financial risks.
Taking the following measures can help you ensure your compliance to the new data protection legislation.
Define Personal Client Data — Document what types of personal data your company processes, where it came from, and who you share it with to improve documentation. For example, if you have inaccurate personal data and you have shared with it another organisation, you won’t be able to identify the inaccuracy and report it to your business partner unless you know what personal data you hold. Therefore, begin with a thorough review of your existing database.
Manage Data Streams and Processes — Develop a roadmap to determine your sources for data input, data processing tools, techniques, and methodologies that you use, and how the data you hold is shared with other businesses. Once you have listed all the inputs and outputs, evaluate their compliance to the new regulations, and take adequate measures to ensure good data governance.
Designate a Data Protection Officer — Designate a Data Protection Officer who has the knowledge, support, and authority to assess and mitigate non-compliance risks.
Ensure Swift Response to Withdrawal Requests — Respond to the customers’ requests of consent withdrawal in an efficient manner and update the system to flag that the user has withdrawn consent to prevent further direct marketing.
The new data protection regulations apply to data that allow direct or indirect identification of an individual by anyone. As a result, cookie IDs, online identifiers, device identifiers, and IP addresses are categorized as personal data under the GDPR.
To ensure the security and confidentially of the new defined categories of personal data, businesses can use the following measures:
Adopt a Protection by Design Approach — There are certain ‘protection by design’ techniques that businesses can use to protect the personal data of their customers. These include:
GDPR not only requires businesses to implement a well-built and foolproof infrastructure to collect, store, and process data, but also directs them to continuously review and update the infrastructure. Here are a few ways businesses can ensure their compliance to these new legislations.
Align Data & Analytics Strategy with Policies — Businesses should focus on developing a data and analytics infrastructure that’s controlled, portable, and compliant.
To ensure this, data collection should be purpose driven, i.e. only data that is required to fulfill a specific requirement or purpose should be collected and processed. Data collection should be compliant.
Customers should be provided with a right to object to data collection and processing for direct marketing processed. Data collected with the consent of clients should be kept in self-controlled storage and processed according to all applicable data protection regulations.
Manage Data Lineage — Certain data governance solutions organized by leading tech companies can help businesses streamline their data handling processes and exercise greater control and get improved visibility throughout data lifecycle.
They help businesses adopt a standardized approach to discovering their IT assets and define a common business language to ensure optimal policy and metadata management, create a searchable catalogue of information assets, and develop a point of access and control for data stewardship tasks.
To enhance the compliance of their client data collection and storage processes, businesses should seek assurance from a data protection officer who can inform and advice the business about its obligations pursuant to the regulation, monitor the implementation and application of adequate data protection policies, and ensure optimal training of staff involved in data collection and processing operations.
In addition to this, designating a data protection officer can also help businesses monitor their incoming data streams and how they should be treated.
To ensure their compliance to the GDPR and avoid the severe consequences of non-compliance, businesses are not only required to ensure optimal control and privacy of static batch data, but also develop means to collect, categorise, and process data provided by high-speed data streams.
Data stream management software is a viable solution to this challenge. A data stream manager allows businesses to:
With a data stream manager, Data Protection Officers can define privacy levels, manage user rights, get an insight into how their info is being collected or used, and more.
Manage Data Streams by Data Protection Officers Source:www.datastreams.io
Many of the GDPR’s principles are much the same as the current data protection regulations. Therefore, if your business is operating in compliance to the current law, you can use your current approach to data protection as a starting point to build a new, more robust and secure GDPR-compliant data protection infrastructure.