The deadline for compliance with the new General Data Protection Regulation (GDPR) came and went. And although the regulation came into effect on May 25, there is still a lot of confusion around the implementation the regulation in business intelligence and analytics. This applies especially to data-driven companies, which rely heavily on customer data in daily business transactions. How does the new regulation affect the analytical data management and how can automation tool can help tackle the risk and effort when becoming GRPR compliant?
What is GDPR in a nutshell?
The increased numbers of data security breaches and emerging digitisation trends have brought new challenges for the protection of personal data. To address this, the EU introduced a new regulation for data protection, that came into effect on May 25th, 2018. The new rules apply to all companies that store and/or process the personal data of individuals in the EU, irrespective of where those companies operate in the world.
With the regulation's entry into effect, numerous companies are now required to prove, that any personal data they are holding on anyone, is necessary to the running of their business. Violating the regulation may result in stiff penalties of up to €20 Million or 4% of annual global turnover of the previous year (whichever is greater).
But whilst many organisations are aware of the potential risks of non-compliance with the new rules, there is still a lot of confusion around the implementation the regulation, especially in terms of analytics and business intelligence (BI).
Risk or Opportunity for Analytics & Business Intelligence?
At a first glance, GDPR and BI conflict. In a BI system, detailed customer data helps analyse customer behaviour. Such analyses are used, for example, for targeted marketing campaigns to increase business success. A requirement may be, for example, to categorise or cluster customers in order to better and more successfully address them. How can this analysis goal be achieved in compliance with the GDPR?
Many organisations may need to review their existing information systems and potentially put in place new practices in respect of privacy, data protection and security. But ultimately, the GDPR presents a great opportunity to modernise legacy data management systems.
Prior to the GDPR, it was "good enough" to provide course-grain privacy controls when processing analytics and artificial intelligence ('AI'). However, the May 2018 European Data Protection Supervisor ('EDPS') Opinion 5/2018 and the recently updated UK Information Commissioner's Ofﬁce ('ICO') GDPR report both clarify that the GDPR now requires a specific new form of technically enforced privacy called Data Protection by Design and by Default. (Article 25).
Privacy (or Data Protection) by Design states that any action a company undertakes, that involves processing personal data, must be done with data protection and privacy in mind at every step. This includes internal projects, product development, software development, IT systems, and much more. In practice, this means that the IT department, or any department that processes personal data, must ensure that privacy is built into systems during the whole life cycle of the system or process.
Privacy (or Data Protection) by Default means, that once a product or service has been released to the public, the following privacy settings should apply by default (an without any manual input from the end user):
- Only absolutely necessary personal data is collected
- Collected personal data is processed only as often as absolutely necessary
- Collected personal data is stored only for as long as absolutely necessary
- Users with access to the collected personal data are only as few as absolutely necessary
Therefore, data protection is to become an integral part of technological development along with delivery of products or services. But what is the specific impact of GDPR and how do you implement these changes in your analytical data management?
Impact of GDPR on Analytics and Business intelligence
GDPR compliance for analytics and business intelligence practitioners will depend much on their clear overview of the data being processed, on where this data is being stored and on the capability to easily access affected data when rectification, extraction or deletion is required.
A good idea is to create a catalog listing the data to be processed and its attributes. This data should be categorised based on the following questions: Is it personal data or not? If yes, for what purpose is it being processed? Are personal attributes absolutely necessary to achieve the purpose of data processing? If not, then they should be deleted from the data warehouse. If yes, measures for data protection must be taken e.g. access restrictions, encryption, pseudonymisation or anonymisation.
A further key requirement of GDPR will be your ability to quickly locate, aggregate, extract and/or delete personal data on any subject on request. If required, inaccurate data must then be rectified and/or supplied in a portable format for extraction. Any of these demands must be serviced within a month upon the original request.
Additionally, you will be expected to maintain the control over automated data processing of personal data. GDPR contains many restrictions on automated data processing – and decisions based upon such processing. In order to examine why such data is processed in the first place and what decisions are being made upon it, you will need a trail of which data streams are being fed into which automated workflows.
Benefits of Data Analytics Automation for GDPR Compliance
GDPR is all about data - who can store it, access it, and process it. Unfortunately, data management in many organisations today is complex, outdated and in some cases even messy. An individual’s personal data can be stored in a variety of locations and processed across multiple disparate data streams, which makes it hard to locate, inspect, extract, rectify or delete. Fortunately, advanced automation can greatly simplify data analytics processes - and thus your GDPR programme, as well.
Tools for automated analytical data management like biGENiUS enable you to aggregate all the data your company collects, integrate data silos and manage data processing in one centralised location. Once you have connected your data sources to biGENiUS, you can quickly discover, explore, and examine the data from them, regardless if it's an enterprise or big data source or even an existing data warehouse. Thus, data from multiple sources can be easily categorised, tagged and assessed in terms of the GDPR penalty risks.
Another benefit of automated analytical data management is, that you gain a full control over your data management and processing through standardisation and traceability. The tool provides you with built-in blueprints for data modelling, which can be easily customised in line with the requirements with your GDPR programme. As a result, manual coding or adjustments are no longer needed after generation.
Further, biGENiUS provides your automatically with the data lineage, necessary to trace and prove what data was captured, from where and when. Where rectification and deletion is required, the tool will help you assess the impact of changes in source systems throughout the data lifecycle of your analytical solution.
Last but not least, GDPR is about knowing where your privacy sensitive data comes from, where that data resides within your systems, who is using them and how they are being used. So, proper metadata management and documentation are no longer just nice-to-haves, but have now become necessities. With biGENiUS clean metadata and up-to-date documentation are auto-generated, and this after each development cycle.