GDPR and data portability – how do we solve a problem like Maria?

This is a guest blogpost by Michael Corcoran, Chief Marketing Officer at Information Builders

In less than a year the EU General Data Protection Regulation (GDPR) will come into force, updating and superseding the UK’s Data Protection Act 1998, which currently governs the protection of personal data in the UK.

From 25 May 2018 UK organisations will be bound by the new regulation until Britain leaves the European Union and thereafter, any organisation that deals with customers in the European Union will have to comply with EU GDPR, regardless of where their organisations are based.

What does it cover?

GDPR stipulates that personal data should only be collected for specific purposes and that organisations must not store data for longer than necessary. Citizens have the right to be informed that their personal data is being processed. They have the right to access their own data and the right to rectify information held about them that is incorrect or incomplete. Citizens also have the right to receive compensation from data controllers for any damages suffered as a result of their data being misused.

Any breach must be reported as soon as possible, (ideally within 24 hours) to limit the damage to citizens whose data has been accessed, corrupted, or stolen and organisations found to be non-compliant face fines of up to 4% of their annual turnover.

A key data governance issue that organisation face is identifying which information to protect. Good data management practices will help to mitigate some of the risk.

Data Quality and Data Portability

A notable reform contained in the new regulation provides citizens with, “a specific right to be forgotten. This is a fundamental modernisation of the rules establishing a number of new rights for citizens, for instance the right to freely transfer personal data from one service provider to another”.

While the GDPR fact sheet points out that ‘the right to be forgotten is not absolute’, it also states that partner organisations must also be informed of the customer’s wishes, stating: ‘companies should take every reasonable step to ensure that third parties, to whom the information has been passed on, are informed that the individual would like it deleted. In most cases this will involve nothing more than writing an email.’

This right to data portability poses a problem for organisations that are storing several versions of the same customer’s details. Take for example a customer named Maria Brown, née Maria Green. Your databases may have her recorded as Mrs Maria Brown; Ms Maria Brown and Miss Maria Green. The mobile numbers might match, the addresses might not. You may also have an entirely different customer, Miss Maria Brown, who is also known as Mrs Maria Curtis. The issue becomes more complex if an organisation has undergone a merger or acquisition and Maria Brown also appears in several instances on the second company’s databases.

How do we solve a problem like Maria?

To manually comply with this aspect of the new EU law, a data steward needs to go into your CRM application, search for Maria Brown by name, extract any data found and put it into a spreadsheet. However, customer data can be stored in a multitude of systems: order processing systems, customer support databases, marketing automation tools, website databases. Each of these systems may contain variations on the customer’s name, address, email and telephone contact details. This will require many employees to search for all the possible variations of data relating to that customer, to extract the data. To verify that your organisation has complied with the new law, you will then need to take this data from all of those systems and put them into a format that can be transferred to another company.

The data portability clause, ‘requires controllers to provide personal data to the data subject in a commonly used format and to transfer that data to another controller if the data subject so requests.’ Therefore, the data extracted must be in an accessible, transferrable format.

This means that one (or several) of your employees will have to massage the data extracted from all the different systems that stored it and enter it into an Excel or CSV file format ready for transfer.

If Maria Brown contacts your organisation, citing her rights under EU GDPR, and requests that her details are transferred to another service provider and removed from your own databases, would your organisation be able to identify which Maria it was dealing with and whether the correct details had been transferred then deleted?

Many organisations will be tempted to employ manual processes to handle such requests under GDPR. However, this is exactly the type of manual, time-consuming, tedious work that is ripe for automation.

Show evidence

EU GDPR also requires that organisations show how they have complied, for example, by documenting the decisions taken about processing an individual’s personal information.

As a result, data cleansing and data quality processes currently used for marketing and customer relationship management purposes, will now have a role to play in organisations’ preparation for GDPR compliance. We will see large enterprises, financial organisations, telecoms providers and the public sector moving from data swamps to data lakes as they focus on the data assets that they need to protect. Auditing will also play a central role to enable organisations to demonstrate compliance, with clear, watertight processes for documenting customer opt-ins and opt-outs.

Moving from the data swamp to the data lake

Having examined the requirements under the new law, we recognise some familiar data quality painpoints which master data management (MDM) technology was specifically designed to address.

MDM can be used to define rules that connect data from different systems, creating a golden record: a single view of each customer, citizen, patient, or employee which contains the most recent correct information. Once organisations have established which is the right personal data, they can focus on protecting it.

If customers do exercise their right to data portability, MDM can also be used to minimise manual efforts. This will help organisations to reduce the pain and administrative cost associated with identifying the right records, verifying that they are correct and transferring the right data in the right format on behalf of customers.

MDM addresses just one aspect of the EU GDPR requirements, but as we prepare for May 2018 it’s reassuring to know that there are already tools in place that can help to reduce the pain and cost of compliance.