The General Data Protection Regulation (GDPR) marks a Big Change for countries holding and handling data about EU citizens. Or does it? I suggest that GDPR, although important, and requiring organisations to take action, is actually just the latest in a long line of efforts by regulators to ensure that organisations analyse and use personal data responsibly.
A pattern of increasing regulation
If you look back, it is possible to see a pattern emerging from the recent string of regulations across financial services and beyond. We have seen increasing levels of regulation, each linked to greater penalties or implications for non-compliance, across regulations like BCBS239 and IFRS-9. The increasing levels of regulation look daunting to any organisation that takes its responsibilities seriously.
The fact that there is a pattern, however, suggests something else. To my mind, all these regulations are driving organisations in the same direction. They are all aiming to improve security, transparency, accountability and fairness. This has two major benefits. The first is a very practical one. The shared focus of all these regulations means that it is entirely possible to tackle multiple problems—and multiple regulatory frameworks—with a single, well-thought-out, technology investment.
The second is perhaps a more philosophical point. These regulations all move organisations towards fairness, security, transparency and so on. It is hard to argue that any of these things is bad, especially not for customers. This means that the organisation that complies early and effectively is building its brand, and positioning itself as the champion of its customers. It also demonstrates that it is expert at what it does. In other words, compliance is a good opportunity to build stronger relationships with customers, on a foundation of trust and reliability.
The place of analytics in compliance
Analytics platforms have a major role to play in helping companies to comply with regulations, not least because analytics is one of the key uses of personal data. But compliant analytics platforms also offer benefits to their users beyond mere compliance. For example, they also provide increased agility, governance and control. Organisations can, therefore, be more responsive to the markets in which they operate, seizing the opportunities and avoiding the threats.
At this stage, we are advising analyst teams (and the business leaders that depend on them) to proactively engage with those tasked with delivering GDPR compliance. Mutual understanding is crucial. Both sides need to understand the location and use of personal data, and the risks of GDPR for the organisation. They also need to know whether there are already suitable privacy statements and legal cover for personal data use, and identify the potential risks of a data breach.
This is, however, above all an opportunity to examine how analytics supports the business now, and how it can do so even more in future. There is huge potential for analytics to add value, and this allows it to be examined strategically, rather than tactically. GDPR, in other words, offers the chance for organisations that manage its compliance well to become ‘best in class’ at working with personal data. The two key questions to consider are:
- What analysis that is already done could be done using anonymised data?
- Where and how do we want to exploit personal data in future, where we are not already doing so?
Anonymised data may sound like the poor relation of personal data, but it holds plenty of potential. For example, looking at trends and benchmarking across industries enables organisations to detect even small-scale fraud relatively quickly, by examining risks and identifying outlying areas and issues.
The tools and techniques now available for analytics are considerably broader than previous generations. They enable use of more unstructured data, including text data. They are also much faster, improving early detection and therefore effective action, and self-learning systems are smarter. Much is possible with anonymised data, but the availability of techniques to analyse a broader range of data also means that organisations need to be careful with their definitions in compliance terms.
A whole-organisation approach
Regulatory and compliance risk is no longer an issue just for analytics. It is a whole-organisation problem, with organisations being liable for non-compliance. Fortunately, platforms are available to enable organisations to look across both the analytics environment, and the business as a whole, and close working between analytical, business and compliance teams is crucial. Compliance with regulation has become a whole-organisation issue, and to my mind, organisations will be better off for that.
More about GDPR and Data Management: White Paper: The General Data Protection Regulation: What It Means and How SAS® Data Management Can Help