5 steps to sustainable GDPR compliance
H3 - Kicker (it's optional). You have more freedom, but try for shorter. <75 chars.
By Olivier Penel, EMEA Data Management Business Director, SAS
By now, organizations around the world have the European Union (EU) General Data Protection Regulation (GDPR) in their sights. They know that regardless of where they’re based, it affects them if they’re supplying products or services to EU citizens or organizations. And they know that if they don’t comply by the May 2018 deadline, it could cause serious damage. Not only hefty fines and legal costs, but also widespread business damage from a tainted reputation.
It’s clear that noncompliance with the GDPR could be a real threat to the future of many organizations. But on the other hand, personal data has tremendous value. If it’s managed properly, it can create significant competitive advantage. Let’s look at the steps you can take to achieve GDPR compliance – and, while you’re at it, position yourself in the best way possible to get an edge over competitors.
An action plan for your journey to GDPR compliance
The GDPR gives every EU citizen the right to know and decide how their personal data is being used, stored, protected, transferred and deleted. Needless to say, implementing the GDPR will affect your entire organization. You’ll need to get back to the drawing board and rethink how personal data is handled from the source to the point of consumption. You’ll also need to consider how your data management and data governance frameworks will support GDPR requirements.
Identify, govern and protect personal data
If you collect or process personal data, it's important to understand the ins and outs of the new EU General Data Protection Regulation. This webinar explains the impact of the GDPR on US companies.
Register to watch the free on-demand webinar
Take the right approach to GDPR compliance
While it may sound overwhelming, there are ways to make compliance more manageable. Here are five steps that will help you on your journey to GDPR compliance.
- Access. The first step toward GDPR compliance is to access all your data sources. No matter what the technology – traditional data warehouses and Hadoop clusters, structured and unstructured data, data at rest and data in motion – you must investigate and audit what personal data is being stored and used across your data landscape. Seamless access to all data sources is a prerequisite for building an inventory of personal data so you can evaluate your privacy risk exposure and enforce enterprisewide privacy rules. To address GDPR compliance, you can’t rely on common knowledge or perception of where you think personal data might be. The regulation requires organizations to prove that they know where personal data is – and where it isn’t.
- Identify. Once you’ve got access to all the data sources, the next step is to inspect them to identify what personal data can be found in each. Often, personal data is buried in semistructured fields. You’ll need to be able to parse those fields to extract, categorize and catalog personal data elements such as names, email addresses and social security numbers. Considering the volumes of data at hand, this cataloging process can’t be manual. And you not only need to parse and classify personal data – you also have to accommodate varying levels of data quality. Things like patterns recognition, data quality rules and standardization are vital elements of this process. Having the right tools for the job will make a big difference in your ability to meet the May 2018 deadline for GDPR compliance.
- Govern. Getting a grasp on personal data starts with being able to define what personal data means and then share this understanding across your organization. For GDPR compliance, privacy rules must be documented and shared across all lines of business. This is the way to make sure personal data can only be accessed by those with proper rights, based on the nature of the personal data, the rights associated with users groups and the usage context. To achieve this, roles and definitions must be established in a governance model. Then you can link business terms to physical data sources, and establish data lineage from the point of creation to the point of consumption. This provides you with the required level of control.
- Protect. Once the personal data inventory and governance model are established, it’s time to set up the correct level of protection for the data. For GDPR compliance, you can use three techniques to protect data: encryption, pseudonymization and anonymization. You must apply the appropriate technique based on the user’s rights and the usage context – without compromising your growing needs for analysis, forecasting, querying and reporting. The easiest way to protect data privacy is actually to press the delete button, keeping only the data you need to run critical business processes and added-value analysis.
- Audit. The fifth step in your journey to GDPR compliance involves auditing. At this stage, you'll need to be able to produce reports to clearly show regulators that:
– You know what personal data you have and where it’s located, across your data landscape.
– You properly manage the process for getting consent from individuals who are involved.
– You can prove how personal data is used, who uses it, and for what purpose.
– You have the appropriate processes in place to manage things like the right to be forgotten,
data breach notifications and more.
BLOCKQUOTE - Standalone quote: Do not use quotation marks in the text. The watermarked image behind the text shows the quotation marks. Strive for less than 40 words.
H5 - Quote Annotation • Title or Accreditation, Company Name
To address GDPR compliance, you can’t rely on common knowledge or perception of where you think personal data might be. The regulation requires organizations to prove that they know where personal data is – and where it isn’t.
Olivier Penel • EMEA Data Management Business Director, SAS
From GDPR compliance to risk management as a whole
Being able to create detailed reports about personal data usage is not simply a requirement for GDPR compliance; it helps you manage the risk exposure of your organization when it comes to data privacy. The five steps outlined here can guide you as you put in place the technologies, processes and people necessary for achieving GDPR compliance and managing risk as a whole. What’s more, it can strengthen your business, create deeper bonds with customers, and spur innovation that could have positive, far-reaching implications for future growth.
About the Author
Olivier Penel is a senior adviser with 15 years of information management consulting experience for Global 1000 companies across various industries. In leadership positions at companies such as IBM and Infosys, he led distributed teams of data management domain and technical experts in supporting sales initiatives and pre- and post-sales engagements. Penel has shared his expertise in data management best practices with many audiences during speaking engagements. His goal is to help organizations build a holistic strategy and value-driven road map for data governance that spans traditional data management practices – data integration, data quality, MDM, virtualization – along with big data, BI, analytics and decision management.
Recommended reading
- Article Unlocking a strategic approach to data and AIAI is only as good as the data that powers it – this is a fundamental truth about data and AI that defines the limits of what’s possible with artificial intelligence. It may seem surprising, but it's rarely a bad algorithm or a bad learning model that causes AI failures. It's not the math or the science. More often, it's the quality of the data being used to answer the question.
- Article The importance of data quality: A sustainable approachBad data wrecks countless business ventures. Here’s a data quality plan to help you get it right.
- Article Утконос: работа с данными как часть трансформацииЕсть огромный объем задач, в которых применение продвинутой аналитики даст более существенный эффект, чем традиционные подходы. И они совершенно точно должны решаться централизованно.
- Article IoT: ускоритель взаимодействия с клиентами, который не стоит игнорироватьIoT представляет собой мощный источник данных, который в сочетании с аналитикой может дать представление обо всем, от поведения до эмоций и здоровья. И вот почему это ключ к улучшению качества обслуживания клиентов.
Recommended reading
- Article Are you good at scoring?Credit scoring is the foundation for evaluating clients who apply for a loan (or other types of exposure for the bank). It is not unusual for it to take up to 12 months to build and deploy a new credit scoring model. Reforming the process will help minimize losses, increase earnings and reduce operational risk.
- Article Detect and prevent banking application fraudCredit fraud often starts with a falsified application. That’s why it’s important to use analytics starting at the entrance point. Learn how analytics and machine learning can detect fraud at the point of application by recognizing the biggest challenge – synthetic identities.
- Article Situational awareness guides our responses – routine to crisisMany circumstances call for situational awareness – that is, being mindful of what’s present and happening around you. The COVID-19 pandemic heightened this need, as leaders across industries used analytics and visualization to gain real-time situational awareness and respond with fast, critical decisions.
- Article Respond, recover and reimagineDisruptions to our lives happen regularly, though most are not as far-reaching as the COVID-19 pandemic. Whatever their nature, it’s helpful to have a plan for how to exit disruption still on your feet and in the game. Learn about the three-phase approach SAS recommends for mitigating widespread disturbances.