Guest blog by Arturo Salazar, EMEA Data Management Business Principal at SAS.
For those still unaware, the goal of GDPR is to secure privacy and integrity of the data collected from consumers. In case of a data breach an organization must be able to report to the authorities and the potential affected customers within 72 hours. The risk of non- compliance is a fine up to $20 million or 4% of your company’s global annual turnover. Despite these hefty fines, research performed by Dimensional Research (sponsored by Dell) published end of 2016 shows that more than 80 percent of respondents state they know only a few details or nothing about GDPR. Nearly all questioned companies (97%) do not have a plan in place, although more than 90% of the respondents said their existing practices will not satisfy GDPR requirements.
One of the biggest problems for most companies is uncertainty in what is permitted and what is not. Despite the fact that the publication of GDPR did not describe every detail or every step from governance to security, this is obviously no excuse to sit back and relax. So let’s start with what we do know. In the new regulation the definition of personal data has been tightened. It is defined as data that allows the identification of an individual, directly or indirectly. This definition is far reaching, since it involves all information relating to ‘an identifiable natural person’, such as name, identification, location data, economic, social or cultural identity. The commonly used definition of this data is ‘personal data’ (PD).
Max to min
Data scientists used to think that the more data - including PD - we have, the better we can understand our customers, market, environment etcetera. With all kinds of new technologies, we have been gathering more and more data. And by using sophisticated big data analytics we extract useful or less useful information. This development of ‘surprise maximization’, using algorithms on big amounts of data, is not totally in line with our current privacy regulations and raises ethical questions about the use of data. Within GDPR the regulations will be stricter to provide more privacy. From May 2018 onwards, ‘data minimization’ for PD will be mandatory. This means that you can neither collect nor process more data than you actually need for the purpose. A simple example, if you only need a name, address and postal code for sending out orders, you should not put a line with telephone number in your web form. More flexibility in terms of data collection is foreseen in the GDPR when data is rendered anonymous or is pseudonymised or encrypted.
Privacy by design
Data minimization is one part of the ‘privacy by design’ principle within GDPR. In the development phase of (new) products or services, an organization should take the privacy of PD into account as early as possible. So for all data you must explicitly know where it will be used for and if there is a need for pseudonymization. Are you already busy making your PD inventory? In which systems, databases and servers do you process or store PD? What does the principle of privacy by design mean for your current and new data lakes, data warehouses and applications?
The research mentioned above shows that a lot of companies are not ready to answer above questions. It is important to be prepared for the changes GDPR imposes. Not only to prevent fines, but to use it to enlarge and innovate your business.
Want to know more? Visit this website where we will show you how you can protect and safeguard all your customers’ personal data but also be agile, accessible and flexible and control your data through better policies and parameters.