We move closer to the implementation of the General Data Protection Regulation (GDPR) in May 2018. SAS colleagues have been writing about its effects, and what actions companies can take to address these issues. Looking at these articles, I found myself reading a story behind these articles.
Kicking off the discussion
Colleagues first started to raise the issue of GDPR back in October and November last year. Ulrike Bergmann, Brad Hathaway and Inge Krogstad were perhaps the first to write about GDPR on the SAS blog.
Ulrike Bergmann provided an introduction to GDPR, and reminded companies that they could not afford to ignore it any longer. Brad Hathaway's article went on to describe how GDPR might affect analytics and data management. He explained that data management was at the heart of the GDPR. GDPR should and would therefore affect how companies handled data, including analytics projects. Like Ulrike, he concluded that any company that did not think so was in for a shock
Inge Krogstad provided a list of questions that companies would need to be able to answer about the personal data that they held and processed. He emphasized that smooth implementation would depend on companies having a clear view of their data and its uses: this work, he said, would need to start soon.
If Inge’s article was cautious, Dylan Jones was more optimistic. He felt that GDPR offered an opportunity. Companies would have to improve their data governance, and would therefore come to a much better understanding of the data that they held. That, in turn, would enable them to use that data much more intelligently, and get better insights.
By December 2016, specific sectors had started to wake up to the importance of GDPR. Hartmut Schroth, for example, mentioned it as a driver of digitalisation in insurance services. It was only one of several factors, but still influential.
Discussion in 2016 was about raising awareness whereas 2017 there has been an explosion of urgency in the posts written by my colleagues. Since the start of February, there have already been six articles about GDPR on the SAS blog, and several more that mentioned it in passing, suggesting its importance is growing in everyone’s minds.
Brad Hathaway was first up, on 1st February, with an article that stated boldly that GDPR was impossible without data management and governance. He cited the speed required to report breaches of the regulation, and the need to assess risk urging companies to start their thinking immediately or risk non-compliance. Michael Herrmann was next, with a slightly different take on GDPR compliance, but similar urgency. His concern was that companies might hold significant amounts of data of which they were unaware: hidden risks, as he put it. He emphasised that companies needed—and quickly—a tool or application to find all the personal data they held.
Marinette Nyström provided useful advice for companies on GDPR implementation, in an interview with Casper Pedersen, Principal Business Solutions Manager. Their focus was very practical, with advice about identifying personal data, but also about the culture change that might be needed. Jim Harris explored this further, in a blog about what GDPR would mean for data scientists. He pointed out that business analysts and data scientists may need access to information, but that it did not necessarily need to contain the personalised and sensitive elements. These could be encrypted and therefore not visible, without affecting the analysis, but this would require a different way of thinking.
This echoed an earlier blog in which Jim wondered whether it would be possible to be compliant with GDPR, but still open about data? He concluded that this was possible, through good governance of data. Data could remain transparent and visible, but still secure. It is an interesting question, because more and more organisations are moving towards open data, driven by governments around the world.
Dylan Jones provided similarly thoughtful and business-focused articles on compliance. He suggested that companies should not be introducing data management for the sake of compliance with regulation (although this is important), but more because it was good for business. He went on to provide a simple framework for regulatory compliance that would support business needs, focusing on function, flow, form and foster.
Two ways of looking at GDPR
All the above mentioned articles cover two main areas. The first is about how to comply, and some advice about where to start, often emphasising the urgency. The second group is more philosophical: why data management is necessary, and how it must be considered an opportunity, not a threat, despite the urgency. No matter how you look at it, you still need to start acting now to avoid working at the eleventh hour.