GDPR, Data Portability, and Data Management
This blog post is for people who are already familiar with the GDPR, the EU’s General Data Protection Regulation. If you’re not familiar with it, you’ll want to read up on it soon – it’s fully in force as of May 25, 2018 (now just slightly less than a year away!) and it will affect companies across the globe.
GDPR brings with it a host of responsibilities and liabilities, some of which can be mitigated using good data management practices. Many companies (what the law calls “controllers”) will be tempted to use manual processes to handle GDPR requests. I’ll talk about those manual processes first, and then discuss why companies might be better served with data management solutions to handle those scenarios.
What follows is in no way comprehensive. Of the many issues raised by GDPR, I’ll focus on three, the first of which will be in this blog post. (The second, called the Right to be Forgotten, is here.)
The Right to Data Portability
The regulation “requires controllers to provide personal data to the data subject in a commonly used format and to transfer that data to another controller if the data subject so requests.” (This specific language comes from a very clear and helpful series of blog posts by the International Association of Privacy Professionals.)
Imagine that Jean Valjean tells your company that he wants to receive all of the data that you have about him in a format that can be consumed by another company. (This is true of employees as well as customers, by the way.)
Getting it done manually
To do this manually, a data steward could go into your CRM application, search by name for Jean Valjean – he’s customer number 24601, of course – extract any data that she finds there, and put it into a spreadsheet. So far, so good.
But customer data can reside in dozens of systems, perhaps hundreds – website databases, customer support databases, marketing automation tools, customer forums, and so on. These systems can have different variations of the customer, too, with Jean Valjean appearing with the handle jvaljean in your website and listed as the credit card for Jean J. Valjean in your order processing system.
Many different people will need to go to each of these systems, look for all possible variations of Jean Valjean, and extract the data needed for transfer.
Even then, you’re not done. You need to take all of the necessary data from all of those systems and put them into a format that can be transferred to another company. It seems likely that there will be a suitable Excel or CSV file format that will work – but someone now has to massage all of that data and manually put it into that format. This is error-prone, tedious, miserable work: exactly the kind of thing that’s better done by a computer than a person.
Using data management technology
Master data management (MDM) technology is specifically designed to solve this kind of problem. By defining rules that connect data from different systems together, MDM can provide a single view of every customer or employee (along with any other business entities that might interest you). If a data steward figures out one time that Jean Valjean from the CRM application is jvaljean on Twitter, she can permanently make that connection, making it easy to retrieve all of his information from that point forward.
With an MDM system in place, you can see data about every customer or employee in one place. If they ask you to give this data to them in a spreadsheet, you can verify that the information you have is correct, export to that format, and send it to them. The amount of manual effort is minimized, and so is the number of errors that you might otherwise make.
You may want to store the data in the cloud (i.e., in a data center that’s physically located somewhere other than where you’re conducting business) or on-premises (i.e., in a data center physically located where your company does business), depending on the requirements for keeping the data in specific countries.
There are many, many benefits to having a single view of your customers and employees, ranging from improved customer service to better targeted marketing and churn avoidance. The same technology, data, and processes needed to comply with GDPR can help you businesses meet other needs, too – and forward-looking companies will use the data management capabilities they had to put in for GDPR to help them achieve those goals they want to achieve.
Stay tuned for more. While you’re waiting, tell us what you think in the comments.