Data Protection
Jose Almeida
Data Consultant/Advisor ?? ???? ???? ???? ???? ???? ???? ???? ?? Data Strategy ?? Data Governance ?? Data Quality ?? Master Data Management ?? Remote/Onsite Consulting Services in EMEA
Data Protection Challenge
Data protection and security are currently two high-profile topics, regulations are multiplying at national and international levels to define personal data and establish controls governing its maintenance and use, with growing enforcement of customer rights for appropriate data use.
Understanding that organizations gather more sensitive customer data to enable their services, in more applications, and in more locations than ever before, it is easy to conclude that data protection and security are a challenge and must be among the top priorities.
In a context that is rapidly changing and with larger and larger volumes of data available - assuring that data is secured, and that all data protection regulations are respected is a priority, a critical challenge, and making data mismanagement a risk.
The Challenge
The risk of being non-compliant can mean negative publicity, damage to organizations’ reputations, and penalties. The requirements include that data be protected adequately, and when breaches do occur organizations must have notification capabilities in place that align with the regulation’s standards.
In the telecommunications and financial services industries, data is the ultimate battleground. Already under increasing pressure to meet regulatory demands and manage their business challenges, constantly evolving regulatory requirements, rising costs environment, pressure on profit margins, economic pressures, the challenge of satisfying the ever-increasing demands of customers and increased competition, they now face different data challenges.
For organizations that hold information for millions of customers on their systems keeping their personal information secure is already a challenge.
Compliance with these regulations is a massive task and there is no one size fits all solution.
It is no surprise that not all organizations are ready.
Only organizations that know the what’s, where’s, how’s, who’s, when’s and why’s of its data, and take effective control of it, can minimize the risk, and comply with the regulatory framework.
The most important step to compliance is to understand the data the organization holds. Across the organization, different departments, different systems will hold personal information.
Only after an organization has enough knowledge about its data, knowing it across the siloed ecosystem, being able to do full lineage of the data, and fully understand its life-cycle - can move to address data subject access rights, consent, breach response, data processing record keeping, and more.
Understanding what must be governed is the first step to governing it.
Data management - Data under the scope of data protection laws needs to be properly governed, allowing it to be easily located and managed, driving the implementation of robust data management solutions.
Data Governance - The goal of data governance is to ensure that an organization’s business objectives are accomplished, by guaranteeing that data is available as needed for business purposes, but also secure, private and in compliance with regulatory requirements. There is no one-size-fits-all approach to data governance and specially when organizations are being pressed to quickly adapt to the regulations - a more pragmatic and agile approach is paramount.
Master Data Management - MDM involves identifying your customer data, determining who accesses that data, creating a single view of the customer, and although it does not automatically make and organization compliant with the data protection laws, it easily accommodates the requirements to ensure compliance, as the right of rectification, erasure, consent or anonymization, enabling the full automation of these processes.
Metadata Management, Data Catalog, Data Lineage and Business Glossary - These are also critical components, ensuring the control of where and how data is found, how data elements relate to business terms, mapping and cataloguing sensitive and personal data.
Data Security - Data loss and breaches prevention is imperative, allowing to identify where data is located and how it is being used, it’s necessary to set-up a solutions that prevents unintentional loss or intentional theft of data, inappropriate exposure or unauthorized usage of such data, even when no loss or breach has occurred, but also breach detection and access control.
Also, it’s important to keep in mind that customers are losing their tolerance for data security failures and the awareness for these issues is growing, as some recent cases have shown (Cambridge Analytica or Facebook), and the probability to stop doing business with organizations that mishandle or are negligent data is greater than ever.
Business Processes - To ensure data is handled properly within the organization, changes in the existing business processes or even new processes need to be implemented, involving staff training, internal audits, and review of internal procedures.
This requires changes to various aspects of an organization’s structure and business objectives. Formal, well-planned, change management activities including internal communications, training, briefings, etc. are needed to ensure the success implementation of new data protection processes.
Data Minimalism - With more and more data is being accumulated across an organization’s multiple systems, data warehouses, data lakes, the more redundant and obsolete data is gathered, it is increasingly essential that all this data collection is consistently planned, creating strategies to make sure that the data being collected is being used, is clean and well managed.
This is critical when addressing customer data, especially in the light of the increasing regulations, and the increasing data protection and security concerns among customers themselves, creating the need for organizations to collect only the necessary data to enable them to provide their products and services and being fully transparent about it to its customers.
Customer trust around data is becoming mission critical for most businesses, and they must design their products for transparency, trust, and responsible usage of data, so that customers can trust they’re only collecting the data that will help them improve products or services.
This new level of transparency builds trust and trust is being increasingly perceived as a key differentiator for customers when deciding on their relationships with organizations.
Beyond DPA (January 24, 2022)
The DPA (Data Protection Act) includes a few principles that when extended to a broader scope of the data within any organization will bring additional benefits on how data is governed and enable better decision-making, reduce operational friction, protect the needs of data stakeholders, and reduce costs and increase effectiveness.
Two of these principles are especially dear to me, they can easily be implemented and give clear results even in areas outside the Data Protection Act scope.
These are the Purpose Limitation and Data Minimization principles, and they are closely related when approaching data in a business-driven perspective.
Data minimization is an essential principle of data protection, and it refers to organizations restricting the personal data they collect from individuals and processing only information that is necessary to accomplish business purposes.
Data minimization involves restricting not only the collection of data but also deleting data no longer useful and setting limits for data retention.
This principle is critical in the light of the increasing regulations, and the increasing data privacy and security concerns among customers.
This context is creating the need for organizations to collect only the necessary data to enable them to provide their products and services and being fully transparent about it to its customers.
Customer trust around data is becoming mission critical for most businesses, and they must design their products for transparency, trust, and responsible usage of data, so that customers can trust they’re only collecting the data that will help them improve products or services.
This new level of transparency will rebuild trust. And trust is being increasingly perceived as a key differentiator for customers when deciding on their relationships with organizations.
But it should be taken even further, it must be taken outside the boundaries of data protection and extend to all data within the organization. A central point in the organization’s data strategy.
In a time where increasing capabilities in big data, cloud computing, data processing and analytical tools are being disclosed daily, when organizations are trying to generate and store all possible data - whether they need them or not – making the case for data minimization may seem out of place.
To be able to maximize the return from their analytical investments, and avoiding data becoming a liability, organizations need to move to collect only the data they need.
This is where purpose limitation comes into play. Implementing data strategies closely aligned with the business objectives, collecting, and working on the data that is effectively necessary.
Data governance plays a critical role in this change in strategy, assuring that:
·???????All the data being collected and processed in the organization within a specific context, either operational, regulatory, etc.
·???????That it collected and analyzed with an end in mind, sustained by a business case and aligned with the business objectives.
Embracing data minimization and purpose limitation, allows a better transition to being data-driven, enhances the decision processes, reduces security risks, reduces costs on storage and on managing data, and increases the customer trust in the organization.
A golden opportunity for data governance in Kenya (January 17, 2022)
More than a challenge the road to compliance with the Data Protection Act (DPA) must be considered as an opportunity for businesses to build a strong data foundation and to fully explore the potential and value of their data.
The awareness of data as the most critical asset for an organization keeps growing but the results will not follow and despite large investments to manage this crescent entry of data, most organizations are still unable to retrieve the meaningful insights that will enable them to take advantage of the potential created by all this data.
From day one, data is being created, compiled, collected, stored, and distributed. Data is present in all the organization’s processes, from risk or regulatory compliance to routine operations.
Data is the most powerful asset an organization has.
Organizations are investing heavily in leveraging new technologies, artificial intelligence, machine learning the internet of things, augmented and predictive analytics, and data is at the core of each of these initiatives.
Kenyan organizations must view DPA as an opportunity to better align their organisations. Data protection regulation will continue evolving, and a clear view of how data moves across the business will be critical to continuing compliant.
While it may be enough for organizations to simply comply with DPA, having a long-term view can help them work more efficiently and differentiate themselves in a highly competitive market.
Specially in industries dependent on attracting and keeping customers, that handle and work with customer data, it essential to have clear objectives when approaching this challenge.
Data protection might be considered a compliance issue, but the risks are higher than compliance.
There’s a growing trend for customers to prefer companies that have an ethical approach to data. The view of the Data Protection Act being just a compliance issue, might hold organizations from following a market tendency that is gaining strength.
Organizations that can show they are ethical and responsible about their customers data, will be gaining a competitive edge against their competition and getting their customers support in the process. Compliance with the Data Protection Bill is just the beginning of this process.
The existence of a clear data strategy, with focus on trust, based on ethical and transparent data practices, making sure that customers know how, when and for how long their data will be used is an opportunity to make customers buy in to an organization, its culture, and principles instead of just products.
On the verge of a new set of compliance requirements, and although every industry may have a different business vision, you need to look at that vision and understand if the focus for this transformation, should only be the compliance to the Data Protection Act, or if a more broaden opportunity should be considered.
Having a data governance framework in place, assures that timely, consistent, and trusted data is provided business to support critical decisions, improving trust, transparency, and reliability when meeting customer and stakeholder expectations.
With all the technological advances and with larger volumes of data available organizations can increase their competitivity and earning potential, but also to highlight existing operational inefficiencies and fail to rise in an increasingly competitive business environment.
This is where the capacity to know what data the organization has, where and how it is held, and the ability to protect the integrity of that data, is a critical advantage.
Organizations need to have a clear stand on safeguarding its most important asset – data. And as for any other asset this means to define the processes and procedures by which their data will be managed.
You need to look at this, not only to solve compliance, but also as a true business differentiator, enabling a customer-centric vision supporting the organization to deliver truly personalized and valued customer experiences.
Road to Compliance - Kenya Data Protection Act, 2019 (DPA) (December 3, 2021)
Data privacy is currently a high-profile topic, regulations are multiplying at national and international levels to define personal data and establish controls governing its maintenance and use, with growing enforcement of customer rights for appropriate data use.
Understanding that organizations gather more sensitive customer data to enable their services, in more applications, and in more locations than ever before, it is easy to conclude that data privacy is a challenge and must be among the top priorities.
In a context that is rapidly changing and with larger and larger volumes of data available - assuring that data is secured, and that all data protection regulations are respected is a priority, a critical challenge, and making data mismanagement a risk.
Kenya’s data protection framework, the Data Protection Act (DPA) of 2019 roll-out is still in an emerging phase, and it’s important to increase the awareness of its challenges and opportunities.
Organizational impacts
The data protection act impacts the operation of every organization in tree main perspectives.
First, from the legal and compliance point of view where new figures are introduced:
·???????The data subject - who is a person who is the subject of personal data and personal data refers to any information relating to an identified or identifiable natural person.
·???????The Data controller - defined as a person or body who determines the use and means of processing of personal data.
·???????The Data Processor - defined as a person or body that processes personal data on behalf of the Data Controller.
Additionally, there’s a figure of data protection officer who acts as an interface with the data commissioner and simultaneously is responsible for the compliance with the data protection act on behalf of one or more data controllers or processors.
From the technological perspective there might be huge impacts the organizations technical ecosystem, depending on its complexity and size, on the number of systems, on how those systems are integrated.
Affecting almost every aspect of the data life cycle, from its collection to its storage, with a special focus on how its secured and protected from any kind of data breaches, forcing the implementation of data protection by design or default.
·???????Data protection by design - Organizations should implement technical and organizational procedures when designing processing operations, that guarantee data privacy and protection principles from the beginning.
·???????Data protection by default – Organizations must safeguard that personal data is processed with the highest privacy protection (processing only the necessary data, stored for the shortest period possible) so that by default personal data isn’t accessible to an indefinite number of persons.
And of course, the most critical perspective to be affected will be data itself. The compliance to the data protection act is truly a data management challenge, involving the capability to know and control all the personal data existing in the organization’s systems ecosystem, from the moment is collected, to the moment is destroyed, controlling how it’s accessed, how accesses it, how it flows across systems, which processes use etc.
A few concepts
One of the most important concepts that are introduced is the concept of consent, meaning that any kind of data classified as personal can only be processed upon consent by the data subject and in accordance with the principles of the protection of data, also giving the data subject the right to object to the processing of their personal data, with a few exceptions and to explicitly consent to its commercial use.
This turns every data controller or processor into the custodian of personal data obliged to create and implement all the necessary measures to protect that data against foreseeable internal and external risks.
Related with the concept of data protection by design that I’ve mentioned before, a Data Protection Impact Assessment, which is an assessment of the impact of the predicted processing operations on the protection of personal data, The DPIA allows for better decision-making at the implementation stage and avoids the need for expensive subsequent improvements or potential leaks of personal data. Based on the outcome of the analysis, the appropriate measures to remedy the risks should be adopted and implemented. For data controllers and processors, it’s an important instrument to establish compliance with the DPA requirements.
It is also introduced the obligation to report any data breach to the data commissioner seventy-two hours after it’s identification, and for data breach we include any situation that involves broadly three situations:
·???????Confidentiality – Any unauthorized or accidental disclosure or access to personal data.
·???????Availability – Any accidental or unauthorized loss of access, or destruction of personal data.
·???????Integrity – Any unauthorized or accidental alteration of personal data.
领英推荐
Making it necessary to have in place the processes to prevent the breaches but also the processes and procedures to expedite the response to these incidents.
Road to Compliance
The risk of being non-compliant can mean negative publicity, damage to organizations’ reputations, and penalties. The requirements include that data be protected adequately, and when breaches do occur organizations must have notification capabilities in place that align with the regulation’s standards.
In most industries today, data is the ultimate battleground.
Already under increasing pressure to meet regulatory demands and manage their business challenges, constantly evolving regulatory requirements, rising costs, pressure on profit margins, economic pressures, the challenge of satisfying the ever-increasing demands from customers and increased competition, they now face different data challenges.
For organizations that hold information for millions of customers on their systems keeping their personal information secure is already a challenge.
Compliance with these regulations is a massive task and there is no one size fits all solution.
Only organizations that know the what’s, where’s, how’s, who’s, when’s and why’s of its data, and take effective control of it, can minimize the risk, and comply with the regulatory framework.
The most important step to compliance is to understand the data the organization holds. Across the organization, different departments, different systems will hold personal information.
Only after an organization has enough knowledge about its data, knowing it across the siloed ecosystem, being able to do full lineage of the data, and fully understand its life-cycle - can move to address data subject access rights, consent, breach response, data processing record keeping, and more.
Understanding what must be governed is the first step to governing it.
On the assumption that there is no one size fits all solution or approach, the best option seems to be the choice for a phased approach where every initiative is grounded on clearly defined business objectives and priorities.
An initial assessment phase will allow a comprehensive awareness of the context where all the initiatives towards compliance will be developed, but not only this, also important is a clear understanding of how the transformation necessary for DPA compliance can align and help pursue those business priorities and objectives, how to choose the less disruptive path.
Any change introduced into an organization it will necessarily create some disruption, it will generate resistance, and a successful approach must be able to overcome these challenges, addressing DPA compliance in a holistic perspective increases the risk, and although some aspects need to be address on a corporate level, such as the data protection policy, other should be prioritized according to business objectives and risks.
Identifying the most critical business areas and processes that depend on personal information, identifying the stakeholders that are more aware of the critical role of personal data in their business processes and turning each of these cases in uses cases is key to assure long term success.
These uses cases are to be transformed into targeted initiatives where the impact and value of data can be clearly identified and working with a business stakeholder that can passionately and effectively articulate the impacts of data in their business processes and that will be eager to defend them.
The assessment will start with a clear definition of the scope and objectives for data protection compliance, again the alignment with business objectives and strategy is an essential factor for success, and for this it essential to assure executive level engagement and the identification of the most critical stakeholders within the organization.
An initial version of the organization’s data protection should be initiated at this stage, creating a first draft of the structure and framework where it will work in the future.
A critical component of this stage is a comprehensive gathering of the organizations context in terms of personal data, defining a scope of systems, data flows and processes to be analysed, and although at this stage this might be done at high level to be detail in subsequent stages or initiatives it is important to be able to have already a clear view of the quantity of data elements to be considered as private data, where they are stored, which processes act upon them, what data flows use them, who accesses them and when.
None of this is new. Every organization has, even today, at some level its own data security processes and frameworks and procedures. The objective here is also to understand the gap between the current situation and the situation of compliance with the data protection act.
It is this gap that will determine the initiatives to be started, that, again, aligned with business objectives will determine a roadmap for compliance.
Once a roadmap is defined it’s time to address each of the initiatives, and each is addressed in a very common development life-cycle framework, excluding maybe the some of the more bureaucratic processes and documents, that should be handled in their own way.
So, what can come out of the roadmap?
Again, there is no one size fits all solution for data protection compliance. So, in most cases, we’ll be talking about Implementing changes to internal processes and procedures, to security incident response templates or data breaches report processes, notice and consent delivery processes, data retention duration, but it can also be process automation initiatives, changes to website forms, cookie collection notices, data security initiatives, server access restrictions, the implementation of changes to APIs.
Or even in some situations data governance programmes, business glossary implementation, a data lineage initiative, Master Data Management (providing a single view of customer, employee, or other entities, data classification or data monitoring initiatives.
All depending on the specific requirements, on dimension, on the the industry, on business objectives and strategy.
As a closing note it’s important to emphasise that specially in industries dependent on attracting and keeping customers, that handle and work with customer data, it essential to have clear objectives when approaching this challenge.
Data protection might be considered a compliance issue, but the risks are higher than compliance.
There’s a growing trend for customers to prefer companies that have an ethical approach to data. The view of the Data Protection Act being just a compliance issue, might hold organizations from following a market tendency that is gaining strength.
Organizations that can show they are ethical and responsible about their customers data, will be gaining a competitive edge against their competition and getting their customers support in the process. Compliance with the Data Protection Bill is just the beginning of this process.
The existence of a clear data strategy, with focus on trust, based on ethical and transparent data practices, making sure that customers know how, when and for how long their data will be used is an opportunity to make customers buy in to an organization, its culture, and principles instead of just products.
On the verge of a new set of compliance requirements, and although every industry may have a different business vision, you need to look at that vision and understand if the focus for this transformation, should only be the compliance to the Data Protection Act, or if a more broaden opportunity should be considered.
You need to look at this solution, not only to solve compliance, but also as a true business differentiator, enabling a customer-centric vision supporting the organization to deliver truly personalized and valued customer experiences.
Building trust – engaging data privacy in Kenya (December 2, 2020)
Kenya is undergoing a series of changes in the data privacy regulations, and Kenyan companies are completely off guard as these changes are turning up faster than the organizations can adapt to it.
Regulations like the Data Protection Bill or new rules from the Central Bank of Kenya, are putting an enormous pressure on organizations, creating an entirely new reality to which organizations need to adapt fast.
Ensuring you comply with the Data Protection Bill can open the door to additional benefits attainable in understanding and protecting customer data. It's a mistake for organizations to view compliance just a financial burden. There are real benefits. Organizations must see it as an opportunity to transform their approach to customer data and not simply as a matter of compliance.
At first glance the Data Protection Bill presents a series of challenges, effectively raising the bar for the protection of privacy and the lawful processing of data.
But problems provide opportunities, and efforts to comply with the Data Protection Bill can bring several benefits for organizations, going beyond data processing to the delivery of better services and outcomes.
Once in place the Data Protection Bill will change the balance of privacy rights against the free flow of data. People will have the right to ask for the data an organization holds on them, for it to be transferred or erased on their instruction, and to prevent it being shared with other organizations.
It will introduce new rules on what constitutes the lawful processing of data, with an emphasis on explicit and unambiguous consent from the subject and extending to any third party responsible for the processing. Requirements and penalties.
There will be requirements for a public authority to have a data protection officer, to carry out risk assessments on the processing of sensitive data, and to report any data breaches within a specific timeline. Along with all this there will be punitive penalties for organizations that fail to comply.
?
These are significant challenges, but it must be understood that they come in response to the explosion of personal data that has come with the emergence of digital technology and the internet, and amount to significant steps forward in personal privacy rights.
Organizations need to recognize the challenges, but they should also be able to identify significant opportunities. It is an area where a solid data strategy helps to realize the benefits.
What you don’t know will hurt you
The most urgent to address is to know exactly what data the organization has, on whom, where it is kept. Only after an organization has knowledge about its data, knowing it across the silo ecosystem, being able to do full lineage of the data, and fully understand its life-cycle.
Only then it can move to address data subject access rights, consent, breach response, data processing record keeping, and more.
At this point instead of fighting the siloed ecosystem, that is still the major challenge for any analytical initiative but also the natural evolution of every large organization, it’s the moment to govern the data, regain control over the data’s quality, origin, ownership, the key elements of a successful data governance program. Data dictionaries, business glossary, and data lineage, defining data and terms across all business units, providing information about the source, age, and inter-dependencies of data, laying out the sources of data, it’s usage, relationships between data sources, data quality dimensions and scores, data owners and stewards.
The bottom line - Trust
In industries dependent on attracting and keeping customers, that handle and work with customer data, it essential to have clear objectives when approaching this challenge. Data protection might be considered a compliance issue, but the risks are higher than compliance.
There’s a growing trend for customers to prefer companies that have an ethical approach to data. The view of the Data Protection Bill being just a compliance issue, might hold organizations from following a market tendency that is gaining strength.
Organizations that can show they are ethical and responsible about their customers data, will be gaining a competitive edge against their competition and getting their customers support in the process. Compliance with the Data Protection Bill is just the beginning of this process.
The existence of a clear data strategy, with focus on trust, based on ethical and transparent data practices, making sure that customers know how, when and for how long their data will be used is an opportunity to make customers buy in to an organization, its culture and principles instead of just products.
Something else is also changing, the customers are losing their tolerance for data security failures and the awareness for these issues is growing, as some recent cases have shown (Cambridge Analytica and Facebook), and the probability to stop doing business with organizations that mishandle or are negligent data is greater than ever.
Preparing for the Kenyan Data Protection Act (November 26, 2020)
Master Data Management is the powerhouse of the organization’s most valuable data. Data that is used by all its departments across the organization to get their work done – making it critical for any business regardless of its size and reach.
Master Data Management is an end-to-end process of the data journey in the organization. It collects data from the relevant sources to establish a single data source for the organization. A single source of truth – The golden record.
Without being a full-scope solution Master Data Management needs to be at the head of what organizations consider their compliance strategy for data privacy regulations.
Compliance with the data protection act is one of the pressing imperatives for organizations, where non-compliance means significant penalties as well as lost revenue due to customer attrition, this means that it is critical to think about employing enterprise level governance processes to deal with all types of private data collected – Master Data Management is just a component, a key one, to consider for an effective compliance strategy.
How MDM helps preparing for the Kenyan Data Protection Act
The Data Protection Act is here, but Kenyan companies are woefully unprepared.
The risk of being non-compliant can mean negative publicity, damage to companies' reputations, and penalties. The new requirements include that data be protected adequately, and when breaches do occur organizations must have notification capabilities in place that align with the bill’s standards.
Especially when talking about telecommunications and financial services, data is the ultimate battleground. Already under increasing pressure to meet regulatory demands and manage their business challenges, constantly evolving regulatory requirements, rising costs environment, pressure on profit margins, economic pressures, the challenge of satisfying the ever-increasing demands of customers and increased competition, they will now face different data challenges.
The Data Protection Act will govern how telecoms and banks collect, use, store and delete personally identifiable information in the wake of rising cyber-attacks and organizations are finally waking up to the reality that compliance is no longer up for negotiation.
For organizations that hold information for millions of customers on their systems keeping their personal information secure is already a challenge. Compliance with this new regulation is a massive task and there is no silver bullet approach. It’s not surprising that not all organizations are ready.
Upcoming challenges
The first challenge is understanding what needs to be done, avoiding being struck by paralysis and denial. To overcome this, those leading their organization’s efforts must start understanding the regulation and taking steps to ensure organizational compliance.
The approach should rest on three main vectors: Data Management, Security and Business processes.
·???????Data management: Data under the scope of the bill need to be properly governed, allowing it to be easily located and managed, driving the implementation of robust data management solutions.
·???????Security: Data loss and breaches prevention is imperative, allowing to identify where data is located and how it is being used.
·???????Process: Finally, to ensure data is handled properly within the organization, changes in the existing business processes or even new processes need to be implemented, involving staff training, internal audits, and review of internal procedures.
?Data Management
This article will focus on the data management vector and on how a strong data management framework will help the adaptation to these new requirements.
The first step is to create the right structure to conduct this process, assuring that executive management is responsible for ensuring that the organization meets its legal obligations to implement the requirements and the organization’s governance processes, including information security, legal, records management and audit.
The most important step to compliance is to understand the data the organization holds. Across the organization, different departments, different systems will hold personal information. Understanding what must be governed is the first step to governing it.
Master Data Management
When starting the process to comply with the Data Protection Act, it should be considered that addressing Master Data Management (MDM) and data protection is a sound strategy to save time and money. MDM involves identifying your customer data, determining who accesses that data and creating a governance program, although, an MDM implementation does not automatically make compliant with the Data Protection Act, it does include some of the necessary steps to ensure compliance.
Both projects address a set of common requirements, on about who using data and where that data is used and/or replicated. In fact, most of the MDM requirements are also requirements for the Data Protection Act compliance. There is some additional work remaining, such as consent or anonymization, but they can easily be accommodated in an MDM initiative.
Data management is rarely seen as a competitive advantage, and although the use of MDM customer data is a common implementation, organizations have yet extended this practice to customer communication preferences and interaction histories, or their employee records and the process of complying with the Data Protection Act is an excellent opportunity to do that.
Some of the specific requirements for the Data Protection Act as the right of rectification and erasure or consent are, for organizations the size of the telecoms, banks or insurance companies, requests virtually impossible to process manually.
With highly siloed ecosystems formed of dozens or hundreds of different systems, identifying all the copies of the customer data in all its variants is a daunting task if the proper data management platform is not in place.
An MDM solution solves exactly these issues, guaranteeing that all the systems in the organization use the same customer information, the customer golden record, and identifying every single source or target for that data.
When it comes to the Data Protection Act requirements previously referred, right of rectification and erasure or consent, these can be included in MDM, enabling the full automation of these processes.
Besides all the features previously listed, the existence of a single view of the customer data also constitutes an authoritative source of customer information, controlling the data silos, making it easier to accommodate ever changing business requirements, eliminating redundancy, increasing data quality.
Conclusion
On the verge of a new set of compliance requirements, and although every industry may have a different business vision, you need to look at that vision and understand if the focus for this transformation should only be the compliance to the Data Protection Act, or if a more broaden opportunity should be considered.
You need to look at this solution, not only to solve compliance, but also as a true business differentiator, enabling a customer-centric vision supporting the organization to deliver truly personalized and valued customer experiences.
Thanks for Sharing! ?? Jose Almeida
Monitoring And Evaluation Assistant Manager at Equity Group Foundation
1 年Great compilation. Data protection has become a critical factor of consideration on day to day application not just for Telcos and Financial institutions. As long as you are collecting and handling customers/clients information.?
Spatial Data Scientist || EE Developer Community Program Lead
1 年This is so comprehensive Jose.
Internal Audit | Financial Reporting | Internal Controls | Risk and Compliance | Corporate Governance | Sustainability
1 年Great compilation and quite relevant for financial service industries and Telcos. Other key areas to consider include; Data quality management ? Activities to stop the introduction of unclean data into the environment ? Activities to clean up and integrate the existing unclean data. Data architecture This involves the review and set up of appropriate architecture and technologies for the acquisition and management of data. Centralizing the data acquisition system. We have this challenge in government where we have to keep sharing our data in different government yet this information is readily available in other government systems.