As seen published in ITProPortal.
GDPR: How to win the data privacy war
Preparing for the new regulations will allow organisations to adopt new technologies and improve their information governance.
If you’re a customer-centric organisation, you’re likely to be aware that May 25, 2018 is the date when the General Data Protection Regulation (GDPR) comes into effect.
The new EU directive will harmonise European data laws, applying to organisations across the globe that handle the personal information of citizens who live in the 28 EU member states.
As well as requiring you to have particular privacy processes and procedures in place, it also carries punitive fines and penalties for non-compliance.
However, the new regulations also provide you with the opportunity to improve your information governance and adopt new technologies that can drive customer loyalty and long-term engagement.
In fact, by successfully addressing three of the main requirements of the GDPR: user consent; data governance and audit; and breach reporting and disclosure, you can strengthen your customer identity management and gain a valuable competitive edge.
But it’s important to note that a one-size-fits-all data privacy or security product will not fit the bill. You’re likely to require a more sophisticated identity solution that integrates with your business-critical apps and supports your entire IT infrastructure: including your cloud, mobile and legacy systems.
Jeremy King, International Director, PCI Security Standards Council (Reference: FinExtra)
The new EU legislation will be an absolute game-changer for both large organisations and SMEs as the regulator will be able to impose a stratospheric rise in penalties for security breaches, and it remains to be seen whether businesses facing these fines will be able to shoulder the costs.
1. Managing User Consent
The new GDPR regulations require you to get the user’s consent to capture, store and process any data that might be identifiable. They also allow the user to change their consent status in a fine-grained manner at any time and with ease. User ID elements include their name, email address, and phone numbers.
One of the major data privacy issues the GDPR will penalise you for is if you unintentionally build a more complete picture of the user than you need to.
This might happen if, for example, you store a cookie in a user’s browser (for which you need their consent) and then link their mobile and web browsing data together in the cookie. This can unintentionally create a personally identifiable information (PII) string of data about the user, even if you don’t actually know who they are.
In addition, many of today’s powerful marketing and analytics platforms aim to understand who the user is across multiple touch points, but this can also cause GDPR compliance issues unless handled correctly.
This situation can get more painful in retail, where, for example, the retailer might capture user data in a physical environment with loyalty schemes, and combine them with their online e-commerce platform – without adequate user consent.
Three Tactics for Dealing with User Consent Data
With the GDPR, you are obliged to help people understand and manage the consent they give you to use their data.
This includes storing their data as part of an Amazon Web Services or Microsoft Azure cloud service. You also need consent if, for example, you are using a Software-as-a-Service (SaaS) analytics platform in the US to process their data there.
However, when it comes to consent, you could create user incentives to allow you to capture, store and process their PII data. You also have an opportunity to build in sophisticated consent management via User ID or My Account dashboards.b) Pseudonymization
The new European data protection law introduces the concept of “pseudonymization” where personal data is separated from anything that might identify it – with that information held elsewhere.
This lowers the risk for data processors of falling foul of GDPR regulations, whilst still making the information useful to marketers.
It also gives you a great opportunity to mine demographics, activity, behaviour and purchases across your systems; removing the user’s PII data, but tagging the data with a pseudonymization ID so it can be channelled into an analytics system.c) ID Management
If you don’t already have it, preparing for the GDPR is also a good time to implement effective ID management across all customer touch points: including web, mobile and physical point of sale/loyalty card interactions.
Data Governance and Audit
With the right consent, pseudonymization, and ID management technologies and processes in place, the next step is to ensure you can demonstrate good data governance and policy adherence for an internal audit, customer request, or an external audit following a breach.
You particularly need to show that you are only using the customer’s data in line with their given consents. For this, it is essential that you can record what you do with your customer data and where you use it.
Alex Laurie, Commercial Director at identity data management specialist Amido, explains: imagine you have a set of user data and want to run a segmentation process on it. You might move it to a data store for machine learning, for example the Azure Cognitive Services platform, run your segmentation, then apply back the segments to your user data.
Alex Laurie, Commercial Director, Amido
There are many steps in that process and you would have to record each step as an activity for each user’s data. This is because, within this regulation, the user is entitled to ask how you got to that point, or simply ask what you have done with their data. You would then have to produce a record of activity and that activity would need to be in line with the consent they have given you.
Consequently, your consent store becomes a source of permissions for your organisation to check whenever you intend to process user data. You can then implement a meta-data approach to record the audit-trail of steps. “This is common practice in banking or government, with products available with which we help clients integrate,” says Laurie.
3. Reporting and Disclosure after a Data Breach
One of the most critical requirements of the new EU directive is the need for you to disclose details of customer data that may have been compromised following a data breach. This must be done by your dedicated Data Protection Officer within 72 hours.
“This is possibly the hardest bit to get right,” notes Amido’s Alex Laurie. The problem is that, when breached, most organisations do not actually know what was breached, where it was and what data was accessed.
He goes on to explain that, in the first instance, you need to know where your data is, in what state, and in which system it resides. “This is so that if a breach occurs, you can accurately report which systems – and therefore which data points – might have been exposed,” says Laurie.
It’s important to get your system design approach correct here. Important elements include: ID management, data abstraction and anonymization and encryption of data at rest and in transit.
Rather than approaching GDPR apprehensively, it’s important to recognise the ways in which you can strengthen your data management, customer services and competitive edge through next-generation privacy and consent services. With the right approach and technologies in place, you can capitalise on customer data and trends, whilst also becoming GDPR compliant.