GDPR: The role of technology in data compliance
With the European Union General Data Protection Regulation (EU GDPR) due to come into full effect on 25 May 2018, the onus is on compliance efforts for businesses worldwide. Over 90% of US businesses see this as their top data security priority over the next year, and technology will be the defining factor in their attempts to abide by the new rules.
The GDPR has been looming ever larger on brands’ to-do lists since its initial adoption in 2016. We are in the midst of a two-year implementation phase, with a very strict deadline approaching in May 2018.
Designed as a radical overhaul of the 1995 Data Protection Directive, the GDPR is an attempt to put individuals back in control of their personal information. The emphasis is very heavily placed on both data processors and data controllers to unify the data they hold on EU citizens, which makes for a challenging task when so much of our technology has not been built with data security at its core.
Put simply, given the complexity of the modern-day data ecosystem, compliance will be no small feat for many global businesses.
It is, however, non-negotiable and fines of 4% of annual global revenues or $23 million (whichever is greater) will be issued to those who transgress. Perhaps more damaging will be the impact on brand reputation for companies that do not toe the line, at a time when privacy and consumer trust are paramount.
This is a pressing topic for all businesses that operate (or one day aspire to operate) within EU markets – including the UK, which will still fall under the GDPR’s umbrella post-Brexit. Any organization that holds personal data on an EU citizen will need to abide by the new rules.
Understandably, many US companies are also treating this as a matter of the utmost import.
In fact, according to a recent PwC survey, 92% of US-based multinationals see the GDPR as their top data security priority over the next 12 months. 77% of those surveyed plan to spend over $1 million on GDPR compliance efforts, with just under 10% preparing to spend $10 million or more.
It would be impossible to separate the GDPR from technology. The two are entwined at every stage of the process, from data procurement to data security, through to the EU’s attempts to shine a light on any breaches of the rules.
Technology led us to this point and it will be at the core of what comes next. This is not a new preoccupation for the European Union, however. Although it is viewed in some quarters as the EU’s overbearing response to the rapacious data gathering of many global businesses, discussions about the relationship between technology and individual rights date back to the 1960’s in Europe.
The GDPR is simply the modern-day manifestation of these concerns.
The regulations are written in typically plain prose and make clear the standards that must be met, but there is still some consternation about how companies will be judged and how the rules will be implemented.
We should, therefore, view technology as either an enabler of transparency and compliance, when used effectively; or as a costly hindrance to progress, when used without care.
With so many international businesses spending significant sums to get their house in order, a new technology market has started to develop. Software providers are launching new products to help international businesses with compliance efforts, and also to validate their progress.
A pressing concern for many organizations is that they simply don’t know what data they possess on individuals or where all of it resides.
Strikingly, only 33% of organizations feel confident that they could promptly identify all of the data they hold on each individual.
Some have used the term Personally Identifiable Information (PII) as a proxy to understand what is covered by the GDPR, but this does not tell the full story.
PII typically relates to information such as date of birth or social security number; however, the GDPR also encompasses the behavioral data captured by third-party cookies, such as which sites a person visits.
No matter how many different database technologies a company uses, it will have to bring these together into a seamless inventory if it is to audit the data it is accountable for.
It is essential to understand the separate roles of data controllers and data processors if we are to get to the heart of this question.
So, a data controller would typically be a brand that sells products or services to EU citizens, while a data processor would be a third-party that stores or uses the data to aid the controller.
Technology will play a key role in gaining the single view on every customer that companies will need.
Some new solutions have come to market within this category.
For example, CA Technologies offers a Test Data Manager product that can help organizations link their data assets together and categorize them against individuals. This is a difficult and undeniably tedious task, but it is one that should reap rewards in the future. Organizations will need to demonstrate where they hold data on each EU citizen and the types of data they have, so that each individual may request the export or deletion of this information from their records.
The data must also be structured so that an individual could request the information and have it sent to them in a clear and comprehensible manner.
For example, “Data requester Jane Roe is associated with the address 123 Bellevue Street, Baltimore; our profiling technology categorizes her as demographic ABC1; she works in finance and is married.”
This requires sophisticated data management that can identify, wrangle, and monitor the relevant information for each individual.
Brands should audit their list of data processors to gain insight into their level of GDPR compliance, too. These technology providers will be the subject of very close scrutiny, and chief among them will be some US-based ad tech providers.
Companies will need to gain explicit consent from their site visitors in order to capture their data. This means individuals will need to be presented with a list of the types of data the site would like to collect and they must actively select the options they want to opt into. The days of annoying pop-ups that ask consumers for a click in exchange for a litany of sensitive information sources will soon be a thing of the past.
This of course stimulates the need for new technologies to help brands comply with the strict permutations of the GDPR. Janrain has launched a Consent Lifecycle Management tool to achieve exactly this.
It allows brands to create consent forms that very clearly ask consumers to opt in to a range of pre-defined fields:
The tool then stores this data and makes it easy for consumers to control the level of insight they want to provide to the company:
Although this could be cumbersome for users if they wish to make changes on a range of individual sites, we should expect future technologies to streamline this process. For now, this at least provides some piece of mind to organizations that want to make sure they are asking the right questions and gaining consumer consent in a compliant fashion. US-based company Evidon has launched a similar solution to simplify the consent process for brands and consumers.
It is also worth noting that the GDPR affects third-party cookies, which are often collected without the clear, explicit consent of the consumer. This will potentially create some real challenges for the affected sites, as they will need to first understand their vast data pools, then gain consent for the behavioral data they depend on.
According to recent research carried out for the European Commission, the EU’s monetized data market was worth €59.5bn in 2016. New solutions will need to be found to a new problem if this industry is to thrive from 2018 onward. Otherwise, this could also affect the advertising strategies of a host of brands worldwide, with Google, Facebook, and Amazon the likeliest beneficiaries.
The GDPR makes clear that brands must ensure that in the event of a data breach, no usable consumer data will be procured. That means the brand must have a single view on every consumer’s data, and they must have secured the data completely to ensure it cannot be stolen and used elsewhere.
The graph below illustrates the rising number of data breaches in the US over the last decade, so it is safe to surmise that this will impact a large number of US-based multinationals:
Of course, this can seem like a Herculean set of tasks – especially for larger companies. The GDPR specifically references the role of the Data Protection Officer (DPO), which is a very specific position within a company to cater to the needs of this new era.
Even in the instance that a company has appointed a DPO, they will still require the aid of technology to encrypt customer data and monitor their progress against the GDPR. SAS has responded to this need by launching a new GDPR-specific dashboard (screenshot below) that displays all the areas of compliance that are stipulated, along with the company’s progress against the relevant metrics. This highlights areas of high or low performance across databases and will be a very welcome solution for organizations that are struggling to grasp the size of the challenge the new laws will bring.
Many companies have moved to set up automated breach alerts, which will bring any potential issues to their attention immediately. Given the difficulty of keeping track of such a wide, constantly moving set of data points, we should expect to see more technology providers move into this space in the coming months.
At every juncture, we should consider that most modern technology was not designed with data privacy concerns at its core. Most technologies have prioritized data capture over data security in the race for competitive advantage. The GDPR opens up new avenues to gain this advantage, however.
By viewing the regulations as a platform to build trust with consumers and increase the level of transparency we have over our data, there is an opportunity for forward-thinking businesses to usher in a new age of data-driven marketing that benefits consumers.
This begins by using technology to assess the following four areas: