GDPR, The Right to Be Forgotten, and Data Management

Jake Freivald's picture
 By | juni 29, 2017
in data management, GDPR, omni-gen
juni 29, 2017
The EU's far-reaching General Data Protection Regulation is now less than eleven months from full implementation (May 25, 2018). The ticking from that clock is extremely loud. GDPR brings with it a host of responsibilities and liabilities -- some of which, fortunately, can be mitigated using good data management practices.
 
(If you're unfamiliar with the operational impact of GDPR, I recommend this very clear and helpful series of ten blog posts by the International Association of Privacy Professionals.)
 
In my last blog post, I talked about the right to data portability. This post deals with the right to be forgotten, often abbreviated RTBF. As with last time, I'll address the manual process that many companies (what the law calls “controllers”) will be tempted to use, and then discuss why companies might be better served with data management solutions to handle those scenarios.
 

The Right to Be Forgotten (RTBF)

The GDPR states that a customer or employee can demand that all personally identifiable information about him should be eliminated from the company. (Information that’s not personally identifiable may still be used by your organization, potentially.)
 

The Manual Approach

The right to be forgotten requires data stewards to check every single system where customer or employee data might be held.
 
Picture what an individual data steward would need to do to comply.
  • She'll open the application and search for records with the individual's identifiers (name, customer or employee number, etc.). 
  • She'll take a screen capture of any records she finds -- and possibly many screen captures, if there are multiple possibilities for a given customer or employee. (Is Jean Valjean the same person as Jean J. Valjean? Is Mohamed Al-Ghamdi the same person as Muhammad Al-Ghamdi?)
  • She'll identify the record or records that relate to the requester and delete them.
  • She'll take a screen capture showing that the requester no longer appears in search results.
  • Finally, she'll forward these screen captures to a central location, perhaps to a privacy officer, as verification that the records were deleted.
And this is just for one system. The privacy officer will need to ensure that every possible system related to the customer or employee is checked, records deleted, and evidence presented. Then, and only then, will the case be closed.
 

Using Data Management Technologies

Master data management (MDM) technology can help solve this kind of problem. By defining rules that connect data from different systems together, MDM can provide a single view of every customer or employee (along with any other business entities that might interest you).
 
If a data steward figures out one time that Jean Valjean from the CRM application is jvaljean on Twitter, she can permanently make that connection, making it easy to retrieve all of his information from that point forward. Once she sees that Mohamed Al-Ghamdi is the same person as Muhammad Al-Ghamdi, nobody else needs to figure that out ever again.
 
When talking about data portability, this aided in creating datasets for delivery to the requestor; similarly, when dealing with RTBF, it aids in finding every record that must be deleted to comply with the requestor, and generating the proof that the request has been complied with.
 

Information Builders Technology

Omni-Gen is a data management platform from Information Builders that includes data integration, data cleansing, and master data management technology. It enables information about employees and customers to be correlated across multiple systems with relative ease, making it possible to see precisely which systems contain information that needs to be deleted. Definitions of what customer and employee information is relevant can change quickly, too, and Omni-Gen helps organizations adapt to that.
 
Moreover, Omni-Gen captures the provenance of the data sources within the master data management (MDM) repository, making it completely auditable. Processes can be created that verify that the original records are no longer in the relevant databases or have been anonymized.
 
In addition, the WebFOCUS business intelligence (BI) and analytics platform can access virtually any information system, which allows users to go to one place to identify, search for, and remove records related to any requester when their data may be hard to find or correlate in any other way.
 

Bonus

Though you might build it to comply with GDPR -- or you might finally get buy-in from executives because of the looming legal deadline -- you can see many other benefits from achieving a single view of your customers and employees, such as improved customer service, better targeted marketing, and churn avoidance.
 
The same technology, data, and processes needed to comply with GDPR can help you businesses meet other needs, too – and forward-looking companies will use the data management capabilities they had to put in for GDPR to help them achieve those goals they want to achieve.
 
Stay tuned for more. While you’re waiting, tell us what you think in the comments.