GDPR compliance delivers host of added benefits

Telia Denmark tackles GDPR using SAS^® for Personal Data Protection

Like many other telecommunications companies, Telia Denmark is the result of numerous mergers and acquisitions over the past few decades of telephony and internet growth. Today, it is part of the Telia Company, which is the fifth-largest telco in Europe, providing customers with internet, phone and television services.

Faced with the upcoming EU-wide GDPR regulations, Telia Denmark has taken a proactive stance in ensuring that it is possible to locate and identify personal data in its many legacy data sources by working with SAS^® for Personal Data Protection.

“Today’s customers are conscious of privacy concerns, and we want to ensure that we always live up to their expectations in that regard,” said Jesper Fejerskov, Director of Compliance and Privacy at Telia Denmark. “At the same time, we are gaining a clear overview of our most vital data assets, and I see both as long-term competitive advantages in an industry where margins can decide losers and winners.” It is ultimately Fejerskov’s responsibility to ensure that Telia is GDPR compliant on all levels.

Designing the data discovery process

Telia Denmark has designed a data discovery process and a set of rule files to ensure that all personal data is located and identified in its systems. This is not as simple as it may sound. For example, a telephone number is obviously a personal identifier, but in a telco, a customer may also be identified in a number of other unique ways, such as through a SIM card number, an IMEI or IMSI number.

GDPR regulations necessitate that a company can document its processes both for obtaining and storing personal data as well as its ability to identify and extract all personal data related to an individual. When the regulation is in full effect, any EU resident can request that a company discloses, transfers or deletes records containing their personal data.

Access and identify

Senior Business Analyst Anders Stokvad heads up the GDPR compliance work at Telia Denmark as it relates to data discovery. He has carried out the project with consultants from SAS’ Nordic Professional Services Delivery organization. Through SAS^® Federation Server, they used SAS for Personal Data Protection software to carry out data discovery processes on a large number of separate IT systems, which contain personal data. This ensures that Telia Denmark can live up to GDPR demands of being able to identify and locate personal data within its own systems.

Since the start of the project, a couple of SAS consultants have worked with Telia Denmark to help modify the rule files to ensure that all relevant variables are included. For example, a personal ID number may contain hyphens in one system but not in another one.

“We started up a number of projects on SAS Federation Server to incorporate all the systems that store data,” said Stokvad. “We defined a set of relevant categories of data, about 20 in all, which the algorithms need to identify as personal data. Once this is in place, we can make standardized reports. This means that if a customer calls us up and wants to exert his or her right to have files deleted, I can create a command to all Telia Denmark systems to ensure that this happens.” 

Fringe benefits: Better data quality

Working with data to ensure GDPR compliance is considered a momentous task for many companies. A SAS survey from 2017 shows that fewer than half of European organizations (45 percent) have a structured plan for compliance in place. However, in Stokvad’s experi­ence there are a number of positive side effects to the efforts, once you start your data discovery process – even some that can affect the bottom line favorably.

“It has been really positive to see that we are achieving a level of data quality of which we might not have been sufficiently aware had we not started this process,” Stokvad said. “For example, we need good data quality to ensure that we have the correct information to bill another European telco for the data roaming expenses of say, a German tourist. Otherwise, we have to absorb that expense.”

Dashboard gives overview for managerial oversight

Even as Telia Denmark is improving the ability to pinpoint personal data in its many systems, creating one view of the status quo for internal stakeholders is another challenge.

This means not only being able to identify personal data on demand but also making a transparent process for how Telia treats the personal data of its customers and employees. It also means taking steps to delete personal data that is no longer valid or relevant. To give the legal department an easy overview of where personal data resides across organizational systems, Telia uses the dashboard in SAS^® Visual Analytics.

“The dashboard makes it easy to report to our management stakeholders about our progress in GDPR readiness in a format that gives at-a-glance insight,” said Jesper Fejerskov. “This has proven to be a valuable tool for relevant management discussions and makes a complex task more readily understood.”