Tick Tock Tick Tock – says GDPR Clock

GDPR Clock? May 25, 2018 is a very important date. This is the date the new European GDPR privacy laws go into effect. Deemed as the most far-reaching privacy regulation ever enacted, this date marks the dawn of an era where control of personal data shall become a “Fundamental Right” for EU residents. This legislation places an unprecedented burden on the shoulders of Data Controllers and Data Processors to protect the rights of these Data Subjects – which includes transparency in terms of WHEN, WHERE, HOW and even IF these EU residents shall be profiled. The most far-fetched call-out of this legislation IMHO is the right of EU residents to be forgotten/erased. When the penalties for non-compliance can amount to the tune of 4% of global revenues and a potential suspension of privileges to do business in Europe, failure is simply not an option. All of this is just about 2 weeks away. Tick tock, tick tock.

Give me a break? Being a Data strategist, I have had the opportunity of interacting with several clients and fellow practitioners over the years to the extent that I can personally vouch for the gravity of the situation and the mess even some of the global corporations are in. The "unofficial" consensus around seems to be that while there is no way all/many of the firms will be fully compliant by May 25th, if they can demonstrate their intent to rectify in good faith through concrete steps, they may get some breathing space. However, we are not cats to aspire for nine lives, and hence the clock still ticks - Tick Tock.

Why is this a mess and how did firms end here? Firms, especially B2C have witnessed an exponential Data explosion facilitated by diminishing storage costs. The inspirational aim to hyper-target customers and uber-personalize their experiences coupled with the mission of delivering super-fast results created a culture where several business units/IT shops in different departments were creating their own data stores - often storing personal data of customers independently and unknown to other business units. At an organization level, there is rarely a sole source of documented truth as to how many and which systems store which level of personal data at which geographic location and which of that data is even actively used (versus being stale). If we really think about it, common sense would dictate that we should have had our ducks in a row, to even begin with. The GDPR legislation is just a wake up call (albeit a strong one) and an opportunity to create order from the chaos.

Alright, so is there a way out? In many ways I consider Technology as a magnet that has enticed people to build and rollout quick-impact solutions without much of a thought into the big picture impact of storing PII data en-masse. Fortunately, Technology can play to the rescue here as well when coupled with the right strategy and game plan. There are three key elements of a technological solution(s) that can come to aid here:

• Discover – A solution that enables Auto-discovery of PII data fingerprints (backed by the intelligence of ML algorithms), with the ability to recursively loop through data/file stores. While 100% automation is impossible, manual efforts to extract and document tribal knowledge will simply not suffice.
• Connect – Earlier in the write up, I referred to the GDPR legislation as a wake up call. Once you have discovered/profiled all the systems, it would be a savvy investment to connect all the dots and gain a 360 view of how personal data flows through your enterprise for every business process. Representation techniques like Knowledge graphs lend themselves well to this exercise. They can also serve as prove-it interfaces to auditors.
• Re-mediate – You will need to build interfaces that allows customers to find out what you know about them, to inform you to restrict the usage of their data to the activities they approve and even to tell you that they wish to be permanently erased from your enterprise memory. If the customer’s data has been mass replicated, this may not be an easy task. However, if you connect the dots as explained in the second bullet above, then you should be able to instantly run a script/job that can traverse through multiple systems to perform due diligence when the customer pushes the “Erase Me” button. This is above and beyond other solutions you will need to build to remove PII data from locations where they do not belong, in the first place.

Parting Thoughts? While the picture may seem a bit scary, the opportunity to get back to basics and gain a firm control of your data is the fundamental need of the hour. Think of GDPR not just as a warning but as a catalyst that shall spearhead your organization’s efforts towards being more Data Intelligent. Cheers…