Data privacy & protection as a service?

, , , , ,

In our last article we provided an overview of the upcoming strict EU directive on data privacy & data protection and how companies will be affected.

Companies dealing with EU citizen data will need to deal with different types of requests, both from EU citizens as well as from local authorities.

In certain industries, in case of a data breach or when a company is under suspicion by the public or authorities, these requests can mount to very large numbers and often they’re not easy to respond to and very time-consuming.

Seen the potential width and scale of these requests it’s worth wile to already now consider a service offering as part of the path to compliance.

The ability to ensure privacy & protection of person data is becoming

a crucial differentiator for companies and their customers.

The following describes some of the requests a company might get as part of the new EU directive on data privacy & data protection and how a service approach can provide a sustainable solution**:

Who has to deal with these requests?

  • Any company handling EU citizen data of over 5000 unique EU natural persons (per year), any public authority from within the EU, any company that’s monitoring EU natural person data as it’s core business or any company that’s processing sensitive personal data (children’s data, location, health records,…).
  • – In most large companies the Data Protection Officer (DPO) will/should be in charge, and most of the time his/her office will be the ultimate responsible for the request handling.

 

What type of requests can companies get?

  • Different formats:
    • Paper requests
    • Electronic requests – these must be answered in an electronic form and format, comprehensible for the requester.
  • Requests of a natural person…:*
    • to obtain a copy of all his/her personal data and/or all data that allows the company to identify him/her as a person.
    • for rectification of bad quality personal data (e.g. a duplicates, wrong spelling, wrong address, … ) or of personal data in doubt. Bad quality data or data in doubt can prevent a company from using that personal data until proven otherwise.
    • for the deletion (hard) of personal data.
    • to get insights into the usage of his personal data (e.g.: in marketing campaigns, for profiling activities, …).
    • to provide information about a data breach involving his/her data.
    • to upload his/her personal information obtained from another company (e.g.: call behaviour or transaction history when converting from one telco or bank to another).
    • …
  • Requests from local authorities:
    • about number of requests from natural persons and the ability to handle them within 1 (max 2) months,
    • requesting cause, impact, communication & remediation of a data breach.
    • …
  • … upon a data breach, an entirely separated (service) process should be initiated. This can be compared to a typical incident process with high priority incident handling requiring max attention & emergency procedures.

 

What do you mean “It’s about more than stored data”?

  • Besides the actual data, a company will also need to track & be able to provide proof of the use of personal data (use of archived data, use of data for (advanced) analytics & data mining, rectifications of bad quality data…).
  • Furthermore, it’s not just about structured personal data, but also about unstructured personal data (documents, pictures, video’s, e-mails…).

 

How to avoid assigning a massive workforce to data privacy & protection?

  • Especially for large companies the advice is to start now (or at least beginning of 2015) with an analysis and a data governance exercise on what personal data means for your company & it’s use, ownership, policies etc.
  • You don’t want to go out and fetch all personal data captured in internal (and sometimes external) systems upon each request. A master, which automatically collects all personal data (where all sources are federated) can be a single point of truth upon request, allowing for easy and up-to-date request handling.
  • This (MDM) master should not only collect the “personal data”, but also track it’s source(s), consumers, rectification logs,… & should also allow for monitoring & delete-initiation.
  • Your front end should be more than a call center or mailbox, it should preferably contain a service layer with predefined service request templates and automated request handling:

More details about the use of MDM, a front-end service layer, data governance & other information mgt. capabilities facilitating compliance will be provided in the December SAI session in Belgium.

 

Data protection and privacy as a service?

  • Ultimately, a lot of companies will face a tipping point where manual request handling is to be replaced with service enablement of requests.
  • Companies with a transparant & lean solution landscape, business processes driven way of working and a high maturity in information management have an easier task in the discovery of the ‘personal data’ information lifecycle and therefore their tipping point is higher.
  • Although a high tipping point will give companies an advantage in terms of speed of compliance, we still see a great deal of companies that will need to apply or gear up a number of fundamental information mgt. capabilities (Data Governance, Master Data Management, Data Quality, Data Security,…) to obtain sustainable compliance and avoid high operational costs & fines (100 MIO euro or up to 5% of global turnover).

Tipping point data privacy requests

More details about the use of MDM, a front-end service layer, data governance & other information mgt. capabilities facilitating compliance will be provided in the December SAI session in Belgium.

 

 

* exceptions to deletion and handling exist (e.g.: in healthcare).

** material is based upon the current draft guidelines, which are close to final approval (expected end 2014 or beginning of 2015).

 

Questions: contact Inpuls.eu @ info@inpuls.eu or +32 3 443 17 43

EU directive around data privacy and protection: impact on your company and timing.

,

Why this article?

The new EU data privacy and data protection directive might still seem like a distant compliance topic for the vast majority of companies. In this set of blog posts though, we ask ourselves if the ~2,5 year timeframe (estimated due date: end 2016) is indeed a long time for implementing and complying with this directive or if we should be vigilant in our approach and start looking into this already now? A recent call with a Gartner resource confirmed our hunch that mature companies (in information management) are putting this new directive high on their agenda already now.

What?

The directive concerns the processing, maintenance, storage, distribution and erasure of personal data by all enterprises that are involved with personal data of natural persons residing within the European Union. Personal data applies to any information relating to a data subject (natural person) both structured as well as unstructured data held in electronic & manual format. The directive also focusses on security and in particular on Personal data breaches. These Personal data breaches include accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

When?

The directive was already put up for vote at the EU parliament earlier this year and is expected to be signed by the member state ministers by the end of 2014 or beginning of 2015. It’s one of the top tech priorities for the current Italian EU Presidency as well as for the new EU commission president Mr. JC Juncker. Upon final approval, we estimate a default 2 year period to allow for companies & governmental bodies to prepare & comply.

Impact:

In this first article we will cover a high level overview the big impact area’s (MDM, Integration, BI, Organization, Communication,…) . Each main impact area will be detailed afterwards in a set of dedicated articles. (We will not necessarily cover all impact areas, nor will we refrain from specific details in the directive.  Furthermore we will not cover all potential exceptions as mentioned in the directive.) We will not necessarily cover all impact areas, nor will we refrain from specific details in the directive. Furthermore we will not cover all (potential) exceptions as mentioned in the directive. The goal is to provide a high level overview of the impact.

Org. impacts:

Besides the mandatory assignment of one or more Data Protection Officers, it’s clear that these people (in most cases) will not work alone. Coping with handling requests, internal audits, support in projects etc. will require a full team. The DPO and their staff will closely collaborate (from the start) with several other (Corporate) functions like: Legal office, Security office, Project office, (Enterprise and Solution architecture), Solution portfolio office, data governance & analytics organization and the BPM office & organization. Furthermore, in case of a data breach an on-call (and ready to act) support team must be able to respond to the authorities within 24 hrs. and to data subjects without delay. Standards, policies and procedures should be setup to accommodate for this.

Requesting data, updates & erasure:

A request process is to be put in place, with efficient request handling. Requests can be about the creation, update or deletion of personal data. Handling large volumes of data and large amounts of requests indicates the potential need of a data services approach (e.g. ESB enabled) and (potentially) a request reply mechanism, especially if we know that automatically processed data must be provided to the data subject in an electronic form, easily accessible & readable by the natural person. The use of data services (e.g. ESB enabled) can also be a good approach to keep track of sources & consumers of data. Tracking relevant integrations of personal data can facilitate the required proof with regards to the correct deletion & removal of data for both internally consumed data as well as data that was shared with 3th parties (right to erasure).

Data, documents and communications about natural person’s data:

The master data and documents, related to natural persons privacy & protection (e.g. proof of consent, age, language, consumers of the personal data, data categories,..) will be extended which means that a wide variety of new attributes & documents must be stored in a master and an enterprise content management solution (ECM). Besides a set of extra attributes and documents, certain data like race, ethnics, health etc. can no longer be kept (besides some exceptions). When communicating about these documents, the directive distinguishes between children and adults – both in giving consent as well as in actual communication about personal data requests, updates or deletes. Furthermore, operational paper and electronic documents like contracts, invoices, sales orders, etc. containing personal data should also be traceable, which means that they have to be (scanned & ) moved into an ECM solution as well.

Data quality

The better the data quality & accuracy, the fewer requests an organization will receive for rectification & completion of personal data records. High data quality & accuracy therefore directly lowers effort & costs. Furthermore, a data subject which is in doubt of the accuracy of his personal data can content the use of his personal data which directly impacts the ability to process the data. High data quality & accuracy therefore directly impacts the processing of personal data.

Profiling

Not only can a natural person object against profiling activities with his/her personal data, the controller also has to keep logs about actual profiling & measurement activities. This affects not only the (relatively small) domain of profiling, but also the full scope of IM in the company. After all, MDM, BI & advanced analytics all depend on some sort of profiling or data mining from time to time.

MDM:

The MDM solutions can and should play a key role in the implementation and maintenance of this directive. After all, data quality can be obtained at the source, and the better the accuracy is at the source (and their consumers) the higher the chance of being compliant. MDM, ECM & other source solutions will be considered (together with Integration) as the watch-towers of personal data, increasing the role and importance of these systems.

Operational compliance:

A company should be able to demonstrate the effectiveness of the operation of controls and governance, which encompasses e.g.: DQ metrics, measures of training and staff knowledge/awareness (part of DG),… This means a set of controls must be setup & maintained & integrated with operational processes.

Exceptions:

Exceptions will be handled as well, where we look into exceptions for health-care & patient’s health risks, as well as investigations and use of personal data for criminal investigations etc.

Data storage, architecture and design:

The minimal storage of personal data, combined with a predetermined architectural design, imposing minimal usage of personal data is not to be taken light. Especially for companies with existing reference architecture, some adaptations might be required. Architectural impacts should be considered not only during the next 2,5 years, but should already be imposed to any new service, project or architectural design. In a subsequent post we will include a high level roadmap, showing that (especially for mid-sized & large companies), the journey around this new directive has to start now (with Master Data Governance).

11 December 2014, De nieuwe privacywetgeving van de Europese Commissie en de impact ervan op Uw organisatie, SAI Avondconferentie

, ,

Abstract

De Europese Commissie heeft haar plannen voor de nieuwe Europese privacyregels gepresenteerd. Bedrijven en organisaties die persoonsgegevens verwerken krijgen onder de nieuwe verordening een grotere verantwoordelijkheid. In deze sessie leggen wij de belangrijkste ‘deliverables’ en doelen van de wetgeving uit en gaan wij dieper in op de vraag hoe bedrijven en organisaties hierdoor beïnvloed zullen worden.Voorts bespreken wij een aanpak, gebaseerd op bestaande en nieuwe technologieën, die U op weg moeten helpen naar volledige ‘operational compliance’. En tot slot wordt een ‘roadmap’ uitgerold welke U moet toelaten om tijdig (2016) in regel te zijn met de nieuwe wetgeving.

Presenter

Christoph Balduck

Prijs

Avondconferenties zijn enkel toegankelijk voor SAI persoonlijke leden en SAI bedrijfsleden en worden voor hen gratis ingericht.

Locatie: Crowne Plaza Antwerpen, Antwerpen
Datum: 11-12-2014 (20:00 – 21:30)

Want to know more about the subject. Christoph wrote a blog

Registreren kan via de website van SAI