Just a year from now the European Union's General Data Protection Regulation (GDPR), that aims to strengthen data protection for individuals, will come into force. It will affect all companies inside and outside of Europe that are storing and managing personal data of European citizens.
One of the top concerns for the affected companies is how they'll be able to identify and link all the data they need in order to protect the new rights of consumers. For instance, data that meets “The Right to be Forgotten” in addition to the consents that are needed to market to individuals. This blog post outlines the four biggest personal data challenges of the GDPR and how you can solve them.
4 major challenges of the GDPR:
1. Identity resolution
In order to handle various consents, delete and correct personal data, and inform individuals about what kind of data you hold on them, and how it’s used, you need to be able to identify the specific individual. This is best attained through identity resolution, which is basically a data management process where an individual is identified from disparate data sets and databases to resolve their identity. In other words, companies that have different systems, databases, and customer data entries need to identify the data of each individual and merge it into one central profile, displaying the most valid and up-to-date personal data.
This is an example of duplicated data, where one individual - Ana Maria - has three separate customer profiles in three different systems for the same company. Duplicates like these need to be removed and replaced with one customer profile.
It may sound simple, but this can be a tremendous challenge, as scattered systems and duplicated or incomplete customer profiles seems to be the norm rather than the exception in most companies.
A recent Royal Mail Data Services study concludes that “Over half of all businesses have missing, incomplete or out-of-date customer data. According to the research, 63.3% of UK businesses reported out-of-date customer information, while 62.8% reported that their customer data was incomplete with gaps in certain data fields, with a further 60.1% admitting to having hardly any data for certain customers.”
Yikes! If you can’t identify that one version of your customer, what are you going to do when someone asks you for an overview of their personal data?
2. Consent Overview
When the GDPR sets in, organisations will have to adopt a new constrained consent protocol allowing them to store and use personal data of individuals. Furthermore, consent from individuals must be specific to distinct purposes. Hence, you need to link each profile to the various processes that the individual has agreed to, such as newsletter subscriptions, online purchase histories, campaign cookies, etc.
You will need to be able to provide an overview showing a list of all the business processes and/or services an individual has consented to.
3. Identify associated data
The business processes described in #2 link to different data. For instance, you need a name and email address to send a newsletter. If you're profiling someone to send them customized marketing, you need name, gender, nationality, age, preferences, and maybe social media handles.
You need to identify the data categories that go with each processing purpose, and match and link these.
This part of the process is important to be able to document toward our ficticious customer, Ana Maria. You must be able to describe what you use her data for, as well as be able to document it towards authorities.
4. Data governance
The last thing you need to do is set up a data governance framework and business rules for the data flow.
How long is this data valid? You need to identify the sustainability of the data to set up a validity period. For instance, a check of address every second year. This is necessary because of GDPR’s new storage limitation requirement means you can only store data as long as it is necessary for the purpose it was collected for.
Who has access to it? You will need to minimize who can see and use consumer data to the people within your organization for whom it is critical. For instance, social media handles may only be relevant to certain marketing and sales people, while the financial department doesn’t need to have access. In this process you also need to define your terms – what is contact data to you? Is that just email, or is it name, email, address phone number, or a third version? These are all policy decisions your company must make as we move closer to the implementation of GDPR.
No simple GDPR solution
There is not one simple GDPR solution that makes you ready for the regulation tomorrow. Transforming your data and data processes is a lot of work. What you need to do is break down data silos and integrate your personal master data into a single, complete source of trusted data, as well as apply a data governance framework. For that to happen within the next year, you need to start today.