Preparing for GDPR with data discovery from SAS

Like many other telecommunications companies, Telia Denmark is the result of numerous mergers and acquisitions over the past few decades of telephony and internet growth. Today, it is part of the Telia Company, which is the fifth-largest telco in Europe, providing customers with internet, phone and television services.

Today’s customers are conscious of privacy concerns, and we want to ensure that we always live up to their expectations in that regard Jesper Fejerskov Director of Compliance and Privacy Telia

Ensuring customers' privacy

Faced with the upcoming EU-wide GDPR regulations, Telia Denmark has taken a proactive stance in ensuring that it is possible to locate and identify personal data in its many legacy data sources by working with SAS® for Personal Data Protection.

”Today’s customers are conscious of privacy concerns, and we want to ensure that we always live up to their expectations in that regard,” said Jesper Fejerskov, Director of Compliance and Privacy at Telia Denmark. “At the same time, we are gaining a clear overview of our most vital data assets, and I see both as long-term competitive advantages in an industry where margins can decide losers and winners.” It is ultimately Fejerskov’s responsibility to ensure that Telia is GDPR compliant on all levels.

Like many other telecommunications companies, Telia Denmark is the result of numerous mergers and acquisitions over the past few decades of telephony and internet growth. Today, it is part of the Telia Company, which is the fifth-largest telco in Europe, providing customers with internet, phone and television services.

Designing the data discovery process

Telia Denmark has designed a data discovery process and a set of rule files to ensure that all personal data is located and identified in its systems. This is not as simple as it may sound. For example, a telephone number is obviously a personal identifier, but in a telco, a customer may also be identified in a number of other unique ways, such as through a SIM card number, an IMEI or IMSI number.

GDPR regulations necessitate that a company can document its processes both for obtaining and storing personal data as well as its ability to identify and extract all personal data related to an individual. When the regulation is in full effect, any EU citizen can request that a company discloses, transfers or deletes records containing their personal data.

Access and identify

Senior Business Analyst Anders Stokvad heads up the GDPR compliance work at Telia Denmark as it relates to data discovery. He has carried out the project with with consultants from SAS’ Nordic Professional Services Delivery organization. Through SAS Federation Server, they used SAS for Personal Data Protection software to carry out data discovery processes on a large number of separate IT systems, which contain personal data. This ensures that Telia Denmark can live up to GDPR demands of being able to identify and locate personal data within its own systems.
Since the start of the project, a couple of SAS consultants have worked with Telia Denmark to help modify the rule files to ensure that all relevant variables are included. For example, a personal ID number may contain hyphens in one system but not in another one.

“We started up a number of projects on SAS Federation Server to incorporate all the systems that store data,” said Stokvad. “We defined a set of relevant categories of data, about 20 in all, which the algorithms need to identify as personal data. Once this is in place, we can make standardized reports. This means that if a customer calls us up and wants to exert his or her right to have files deleted, I can create a command to all Telia Denmark systems to ensure that this happens.”

Fringe benefits: Better data quality

Working with data to ensure GDPR compliance is considered a momentous task for many companies. A SAS survey from fall 2017 shows that fewer than half of European organizations (45 percent) have a structured plan for compliance in place. However, in Stokvad’s experience there are a number of positive side effects to the efforts, once you start your data discovery process – even some that can affect the bottom line favorably.

“It has been really positive to see that we are achieving a level of data quality of which we might not have been sufficiently aware had we not started this process,” Stokvad said. “For example, we need good data quality to ensure that we have the correct information to bill another European telco for the data roaming expenses of say, a German tourist. Otherwise, we have to absorb that expense.”

Dashboard gives overview for managerial oversight

Even as Telia Denmark is improving the ability to pinpoint personal data in its many systems, creating one view of the status quo for internal stakeholders is another challenge.

This means not only being able to identify personal data on demand but also making a transparent process for how Telia treats the personal data of its customers and employees. It also means taking steps to delete personal data that is no longer valid or relevant. To give the legal department an easy overview of where personal data resides across organizational systems, Telia uses the dashboard in SAS Visual Analytics. 

”The dashboard makes it easy to report to our management stakeholders about our progress in GDPR readiness in a format that gives at-a-glance insight,” said Jesper Fejerskov. “This has proven to be a valuable tool for relevant management discussions and makes a complex task more readily understood.”

Telia logo

Challenge

Faced with the upcoming EU-wide GDPR regulations, Telia Denmark has taken a proactive stance in ensuring that it is possible to locate and identify personal data in its many legacy data sources by working with SAS® for Personal Data Protection.

Solution

SAS Data Governance (including SAS Data Quality Server)
SAS Federation Server
SAS Visual Analytics

Benefits

  • Telecommunications provider can meet GDPR requirements through an improved process to identify and locate personal data within systems.
  • An integrated dashboard gives management information on the progress of GDPR readiness.
  • Legal department gets a fast, easy-to-understand overview of where personal data resides within internal systems.

The results illustrated in this article are specific to the particular situations, business models, data input, and computing environments described herein. Each SAS customer’s experience is unique based on business and technical variables and all statements must be considered non-typical. Actual savings, results, and performance characteristics will vary depending on individual customer configurations and conditions. SAS does not guarantee or represent that every customer will achieve similar results. The only warranties for SAS products and services are those that are set forth in the express warranty statements in the written agreement for such products and services. Nothing herein should be construed as constituting an additional warranty. Customers have shared their successes with SAS as part of an agreed-upon contractual exchange or project success summarization following a successful implementation of SAS software. Brand and product names are trademarks of their respective companies.

Back to Top