Sergey Nivens - Fotolia

Executive interview: Stuart Tarmy on the technical challenges of GDPR compliance

It is a single line in GDPR, but the right to be forgotten has huge implications on corporate IT. Io-Tahoe vice-president, Stuart Tarmy, explains why

Io-Tahoe is a company that has grown from a need by British Gas, which is owned by Centrica, to unlock insights into the utility’s 14 million energy customer accounts.

Io-Tahoe provides products to organise and manage data across multiple structured and unstructured databases by extracting disparate pools of company data, which it then manages using data lakes.

Centrica Innovations acquired Rokitt Astra in May 2017, in a move aimed to bolster the Io-Tahoe data lake technology with machine learning-powered data discovery technology from Rokitt.

Along with the technology, Io-Tahoe also gained a sales and marketing team, Charles Cameron, director of technology and engineering at Centrica tells Computer Weekly.

Stuart Tarmy came over with the Rokitt Astra acquisition. His role is in business development, and he says he specialises in helping companies grow.

Speaking about the task of achieving General Data Protection Regulation (GDPR) compliance, Tarmy, who previously worked at Mastercard on big data compliance programmes, says: “GDPR is coming down on people fast – May 25th 2018 is the deadline and people have had two years to complete projects.” He points out that even though companies knew about it four years ago, some may not meet the deadline.

The task for businesses of all sizes involves identifying personal data, which can be extremely hard given the way databases propagate throughout an organisation. “At a high level, you have to discover all personal data across the whole enterprise, then secure it using techniques such as encryption and perimeter protection,” he says. “Then you need the ability to purge it across the whole enterprise.”

Protecting personal information

“For example, If I need to protect Bill’s personal information, I need to know everywhere Bill’s data is kept,” says Tarmy. “From a GDPR perspective, it’s important to identify this documented data. Clearly, this means the data protection officer responsible for GDPR compliance needs to know where the data relating to Bill is located.

“The data protection officers will have to provide reports to say they know where everything is,” he says.

Here lies the big challenge for typical enterprises. “This data could be contained in undocumented siloes or legacy systems. If you have worldwide IT systems, you need to go to all of them and across all the platforms the data could reside in,” says Tarmy.

He argues that part of the problem is process and part is technological, and ideally companies would strive to have some form of master data, with a single version of the truth, as in one record for Bill.

But in Tarmy’s experience, while all companies will say they have a golden source, the problem is that different departments will want to modify that single version. It may seem perfectly reasonable to load the customer database into Salesforce or to have another copy in the billing systems, or fulfilment may need its own copy.

“If you then call support to change your address, the data is no longer consistent,” he says. One of the issues facing companies going through a GDPR compliance programme is to identify all the redundant data they have.

Read more about GDPR

For Tarmy, GDPR is a wake-up call to IT to modernise legacy and siloed systems. “GDPR offers huge advantages for maintenance and modernisation by ensuring data is kept up to date,” he says.

It starts with understanding data flow. “You need to follow everywhere personal data exists,” says Tarmy. “Only then can you figure out all the databases being used, and so provide a 360-degree view of the customer.”

This is what Io-Tahoe effectively does in its software as a service (SaaS) product. It ingests all structured data and analyses it using machine learning. “In our product we have the concept of data redundancy – to identify all the sources of data that look similar,” he says.

Most experts agree that GDPR needs to be driven from the very top of the organisation, but Tarmy sees opportunities to adopt best practices from the bottom up, such as choosing to standardise on a single database on a project-by-project basis. New applications will then at least be easier to manage from a GDPR perspective.

Read more on Master data management (MDM) and integration