GDPR, or the European General Data Protection Regulation, will be upon us in just 15 months’ time. Companies not just in Europe but around the world are preparing for it, because it affects any personal data held about any European customer, no matter where a company is based. But how will GDPR affect analytics and data management?
The heart of GDPR implementation
Data management is at the heart of GDPR implementations. Why? Because it takes encoded local knowledge to help find personal information in IT systems, and therefore where to focus your GDPR efforts. In practice, though, the relationship between data management and GDPR is likely to be more crucial even than that: GDPR implementations quickly lead to the conclusion that data management in its broadest sense is essential to allowing personal data to be controlled effectively.
GDPR is also likely to lead to changes in the way that companies manage data, and run analytics projects. The requirement to protect personal data means that by way of anonymizing data before it can be analyzed. Current regulations, in the UK at least, mean that pseudonymous data is not subject to data protection laws. GDPR means that any unique identifier, whether name or pseudonym, is covered by law, and therefore subject to the same levels of protection. This is likely to have a huge impact on customer profiling, in particular.
And what about the right to withdraw consent, and to ask for details to be erased? This will be a huge headache for some companies. Managing old versions of databases to ensure that all data has been erased when requested will be a real challenge. Multiple versions of data are likely to exist at any given moment, and making sure that these are managed effectively will be hard.
One of the keys to successful GDPR implementation is going to be the data custodian role. This enforced separation between data users and the person with responsibility for ‘keeping’ the data—and therefore ensuring both its quality and that it is up-to-date—is becoming more and more crucial. But just because a job is required in legislation does not make it attractive, or easy to find qualified people to fill this role.
Regulation does not necessarily mean compliance
Just because something is required by law does not necessarily mean that everyone and every organisation complies with either the letter or the spirit of the law. And even if compliance is possible, it can be hard to assess. We have seen this, for example, with governance in the financial sector. While there are a good many requirements, it is not always clear that all banks, insurers and the like are all complying with every last letter of the law.
How exactly compliance with GDPR will look is not entirely clear. The balance between governance and flexibility is, of course, yet to be tested in the courts, which will be the final arbiter in most countries. But what is clear is that there are serious consequences to non-compliance with GDPR. The possibility of fines and compensation requirements is ever-present, and law firms around Europe are gearing up for challenges and litigation. Getting it wrong could be extremely expensive, both financially and to the company’s reputation.
The importance of taking responsibility
What this boils down to is that executives—the entire C-suite— will need to take responsibility for implementing and delivering GDPR. It is not going to be enough to appoint a Chief Data Protection Officer and leave them to manage without back-up and without budget. After all, who would ever agree to take on such a challenge? Instead, there needs to be a change in mindset in businesses: a change in the culture, towards one that supports and promotes data protection, not just because it is required, but because it is the right thing to do for customers.
It is possible, as some commentators have argued, that GDPR will not actually change much. Companies and organizations complying fully and effectively with national data protection laws will probably be doing enough anyway. Why worry about it?
But the possibility of challenge in court, and the consequences of that, are such that any sensible organization should be taking the opportunity to review, revisit, and revise its data management practices. GDPR should be significant for data management and analytics; it should change the way that companies manage data, and how they run analytics projects. And any organization that does not think so may be in for a rude awakening in 15 months’ time.
If you want to learn more about GDPR, what it means for you, what it will take to avoid the complex challenges ahead and where to start, come and join us at Road to Artificial Intelligence. Registrations are open for the events in Milan and Rome.