While a lot have been written about the original 99 articles in the EU General Data Protection Regulation (GDPR) perhaps we have seen less focus on the additional articles that have been added since the first approval of 14th April 2016, but that will as well apply on 25th May 2018.
The original articles are mainly emphasizing on the rights of the data subject. But later additions also take care of the right of data controllers. Not at least article 101 about the right to indulgence for data controllers (and data processors) falls into that category.
A representative of the EU, Don Par, explains it this way: “You can escape the heavy fines if you are about to be caught by confessing your sins and pay a more modest purification fee which eventually by subscribing to an annual scheme may allow you to continue business as usual”.
The consultancy industry also has had a low profile on article 101. Max Hagnaður of The GDPR Advisory Institute puts it this way: “First we wanted to make money on advising on how to comply with GDPR. When it shows up, that only a very few companies will do so, we will redirect our hailstorms of power-point decks to article 101 and how to apply for indulgence”.
Indeed, the costs of indulgence may very well be lesser than the costs of compliance (not to say fines because you will fail anyway).
The answer to the question about who is behind with EU General Data Protection Regulation (GDPR) readiness is in short:
A lot of companies
A lot of governments
When following the vibe around getting prepared for GDPR, and from my own involvement at clients, there is no doubt about that time is short and that not every company (well, probably only a few companies) within the European Union will be 100 % ready on 25th May 2018 and this also counts for those outside EU who is targeting EU citizens or processing personal data from the EU.
However, most EU governments are not any better. According to a recent communication from the EU only two Member States (Germany and Austria) have adopted the necessary national legislation. And from own experience I can tell that the late incoming of the national legislation does not help in getting the details ready for 25th May.
Some areas where national legislation is important were discussed in the post Where GDPR Still Becomes National. In my eyes, the remaining governments do not set an example for companies who are struggling with this (else justified) extra work.
Some of the hot topics on the agenda today is the EU General Data Protection Regulation (GDPR) and the data lake concept. These are also hot topics for me, as GDPR is high on the agenda in doing MDM (and currently TDM – Test Data Management) consultancy and the data lake approach is the basic concept in my Product Data Lake venture.
In my eyes the data lake concept can be used for a lot of business challenges. One of the them was highlighted in a CIO article called Informatica brings AI to GDPR compliance, data governance. In here Informatica CEO Anil Chakravarthy tells how a new tool, Informatica’s Compliance Data Lake, can help organisations getting a grasp on where data elements relevant to be compliant with GDPR resides in the IT landscape. This is a task very close to me in a current engagement.
Not at least on the European scene with the upcoming General Data Protection Regulation (GDPR) there are limits to how far you can go in profiling your (prospective) costumers. And I am sure those people will value more you are telling them the complete story about your products, rather than guessing what products (from your range) they might need.
As a consumer, we want the facts about the products to make a self-service purchase. We want to be able to search for and navigate precisely to a product suitable for a specific use. We want the facts in a way, so we can compare, perhaps using a comparison service, between different brands and lines. We want to know what accessories goes with what product. We want to know what spare parts goes with what product.
By the way: Business buyers want all that too. And a person being a business buyer is a person (data subject) in the eyes of GDPR too.
For providing complete and consistent product data you as a (re)seller need to maintain high quality product data and if your product portfolio is just above very very simple, you need a Product Information Management (PIM) solution and, if you have trading partners, you need a PIM-2-PIM solution to exchange product information with your trading partners.
Within the upcoming EU General Data Protection Regulation (GDPR) the term data subject is used for the persons for whom we must protect the privacy.
These are the persons we handle as entities within party Master Data Management (MDM).
In the figure below the blue area covers the entity types and roles that are data subjects in the eyes of GDPR
While GDPR is of very high importance in business-to-consumer (B2C) and government-to-citizen (G2C) activities, GDPR is also of importance for business-to-business (B2B) and government-to-business (G2B) activities.
GDPR does not cover unborn persons which may be a fact of interest in very few industries as for example healthcare. When it comes to minors, there are special considerations within GDPR to be aware of. GDPR does not apply to deceased persons. In some industries like financial services and utility, the handling of the estate after the death of a person is essential, as well as knowing about that sad event is of importance in general as touched in the post External Events, MDM and Data Stewardship.
One tough master data challenge in the light of GDPR will be to know the status of your registered party master data entities. This also means knowing when it is a private individual, a contact at an organization or an organization or department hereof as such. From my data matching days, I know that heaps of databases do not hold that clarity as reported in the post So, how about SOHO homes.
Being ready for the EU GDPR (European Union – General Data Protection Regulation) is – or should be – a topic on the agenda for European businesses and international businesses operating with an European reach.
The finish date is fixed: 25th May 2018. What GDPR is about is well covered (perhaps too overwhelmingly) on the internet. But how do you get there?
Below is my template for a roadmap:
The roadmap has as all programs should have an as-is phase, here in concrete as a Privacy Impact Assessment covering what should have been done, if the regulation was already in force. Then comes the phase stating the needed to-be state with the action plan that fills the gaps while absorbing business benefits as well. And then implementation of the prioritized tasks.
GDPR is not only about IT systems, but to be honest, for most companies it will mostly be. Your IT landscape determines which applications will be involved. Most companies will have sales and marketing applications holding personal data. Human Resource Management is a given too. Depending on your business model there will be others. Remember, this is about all kind of personal data – that includes for example supplier contact data that identifies a person too.
The skills needed spans from legal, (Master) Data Management and IT security. You may have these skills internally or you may need interim resources of the above-mentioned kind in order to meet the fixed finish date and being sure things are done right.
By the way: My well skilled associates and I are ready to help. Get in contact:
The upcoming application of the EU General Data Protection Regulation (GDPR) is an attempt to harmonize the data protection and privacy regulations across member states in the European Union.
However, there is room for deviance in ongoing national law enforcement. Probably article 87 concerning processing of the national identification number and article 88 dealing with processing in the context of employment is where we will see national peculiarities.
National identification numbers are today used in different ways across the member states. In The Nordics, the use of an all-purpose identification number that covers identification of citizens from cradle to grave in public (tax, health, social security, election and even transit) as well as private (financial, employment, telco …) registrations have been practiced for many years, where more or less unlinked single purpose (tax, social security, health, election …) identification numbers are the norm most places else.
How you treat the employment force and the derived ways of registering them is also a field of major differences within the Union, and we should therefore expect to be observant of national specialties when it comes to mastering the human resource part of the data domains affected by GDPR.
Do you see other fields where GDPR will become national within the Union?
One of the controversial principles in the upcoming EU GDPR enforcement is the concept of data portability as required in article 20.
In legal lingo data portability means: “Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn.”
In other words, if you are processing personal data provided by a (prospective) customer or other kind of end user of your products and services, you must be able to hand these data over to your competitor.
I am sure, this is a new way of handling party master data to almost every business. However, sharing master data with your competitor is not new when it comes to product master data as examined in the post Toilet Seats and Data Quality.
As Ditte writes, the core implication of GDPR is: “Up until now, businesses have traditionally ‘owned’ the personal data of their customers, employees and other individuals. But from May 25th, 2018 individuals will be given several new personal data rights, putting the ownership right back in to the hands of each individual”.
I agree with Ditte that the GDPR coming into force can be seen as an opportunity for businesses instead of a burden. Adhering to GDPR will urge you to:
Have a clear picture about where you store personal data. This is not bad for business too.
Express a common understood idea about why you store personal data. Also very good for business.
Know who can access and update personal data. A basic need for risk handling in your business.
Document what kind of personal data you handle. Equally makes sense for doing your business.
Think through how you obtain consent to handle personal data. Makes your business look smart as well.
In fact, after applying these good habits to personal data you should continue with other kind of party master data and all other kinds of master data. The days of trying to keep your own little secret, even partly to yourself, versions of what seems to be the truth is over. Start working in the open as exemplified in the concept of Master Data Share.