Are you ready for GDPR?

Are you ready for GDPR?

280Days 12Hours 16Minutes 01Seconds

We can help you being compliant when the counter goes to zero.

DAMA International issues 2015 annual call for DAMA Award nominations

— Most prestigious recognition for data management achievements

SEATTLE, WA – DAMA International today issued its annual call for nominations for its internationally recognized Awards for excellence in the field of Data Management.

“These awards recognize substantive contributions to the data management practice and community,” said Sue Geuens, President of DAMA International.
Over the years, DAMA International awards have recognized breakthrough data management thinking, specific educational contributions, and advances to the practice. Past winners include John Zachman, Karen Lopez, Anne Marie Smith, Robert Seiner, Peter Aiken, Dr. Gordon Everest, David Marco, Steve Hoberman and many others.

Nominations may be made by visiting the website: http://bit.ly/1FHavAs.

The deadline for submission is only seven weeks away on December 4, 2015. Act Now!

Inpuls Lauches Video channel: the Pulse

,

Youtube
We are constantly looking for new and effective ways to connect with you.
As we consider information to be the pulse of your organisation, we thought it would be a good idea to have a video channel that reminds people of that.

Hence the launch of Inpuls’ Youtube channelthe information pulse

 

We want to be a data driven company

, , , , ,

You could have been on retreat on a mountain, cut-off from all communication for the last four years, but that would be about the only excuse I can think of for you not knowing the new mantra: “data is the next hot thing”.
Most likely, your management wants to get into “the BIG data“ space wants to hire a bunch of data scientist. Failing to do so would create such a BIG (capitalisation intended) competitive disadvantage we would all be out of a job pretty soon.
So what are you waiting for to wheel an elephant into the IT-room?

Is that really the first thing to do in order to achieve quickly a competitive advantage?
Any rom-com screenwriter may tell you that the pretty girl has always been under your nose, but you simply didn’t notice her until the end of the movie.In reality there is a huge untapped potential in many companies to get better insights and improve operational efficiency without bringing in exotic datasets or going into the uncharted waters of data lakes.

Being data driven is in the first place a mindset, and not a box of tools.

Obviously the new capabilities will allow you to push the envelope, but you would be surprised how much you can get out of your current envelope without having to push it too hard.

A simple approach would be to look at it from two angles:
what processes are not capturing transactional data, and
what transactional data is not being linked to a process?

In many cases there is far more available than what is being analysed. The bottles of water that are already available on your companies table, but remaining unopened, could prove to be more valuable in the short term, than having to run to a lake to stop your data thrust.

You only need to ask: “what data will bring me closer to reaching my targets?
Having an eCommerce site, but not acting upon dropped baskets? Making a next best offer has a high probability to turn into a sale. For sure, a quick route to an increased net profit.

There are plenty of similar examples that will help you reach your objectives and they might be closer than you would think.
So who has been under your nose, but has remained unnoticed till now?

Want to get started and get tangible benefits tomorrow? Engage us for a quick scan

Four-loons

Data privacy & protection as a service?

, , , , ,

In our last article we provided an overview of the upcoming strict EU directive on data privacy & data protection and how companies will be affected.

Companies dealing with EU citizen data will need to deal with different types of requests, both from EU citizens as well as from local authorities.

In certain industries, in case of a data breach or when a company is under suspicion by the public or authorities, these requests can mount to very large numbers and often they’re not easy to respond to and very time-consuming.

Seen the potential width and scale of these requests it’s worth wile to already now consider a service offering as part of the path to compliance.

The ability to ensure privacy & protection of person data is becoming

a crucial differentiator for companies and their customers.

The following describes some of the requests a company might get as part of the new EU directive on data privacy & data protection and how a service approach can provide a sustainable solution**:

Who has to deal with these requests?

  • Any company handling EU citizen data of over 5000 unique EU natural persons (per year), any public authority from within the EU, any company that’s monitoring EU natural person data as it’s core business or any company that’s processing sensitive personal data (children’s data, location, health records,…).
  • – In most large companies the Data Protection Officer (DPO) will/should be in charge, and most of the time his/her office will be the ultimate responsible for the request handling.

 

What type of requests can companies get?

  • Different formats:
    • Paper requests
    • Electronic requests – these must be answered in an electronic form and format, comprehensible for the requester.
  • Requests of a natural person…:*
    • to obtain a copy of all his/her personal data and/or all data that allows the company to identify him/her as a person.
    • for rectification of bad quality personal data (e.g. a duplicates, wrong spelling, wrong address, … ) or of personal data in doubt. Bad quality data or data in doubt can prevent a company from using that personal data until proven otherwise.
    • for the deletion (hard) of personal data.
    • to get insights into the usage of his personal data (e.g.: in marketing campaigns, for profiling activities, …).
    • to provide information about a data breach involving his/her data.
    • to upload his/her personal information obtained from another company (e.g.: call behaviour or transaction history when converting from one telco or bank to another).
    • …
  • Requests from local authorities:
    • about number of requests from natural persons and the ability to handle them within 1 (max 2) months,
    • requesting cause, impact, communication & remediation of a data breach.
    • …
  • … upon a data breach, an entirely separated (service) process should be initiated. This can be compared to a typical incident process with high priority incident handling requiring max attention & emergency procedures.

 

What do you mean “It’s about more than stored data”?

  • Besides the actual data, a company will also need to track & be able to provide proof of the use of personal data (use of archived data, use of data for (advanced) analytics & data mining, rectifications of bad quality data…).
  • Furthermore, it’s not just about structured personal data, but also about unstructured personal data (documents, pictures, video’s, e-mails…).

 

How to avoid assigning a massive workforce to data privacy & protection?

  • Especially for large companies the advice is to start now (or at least beginning of 2015) with an analysis and a data governance exercise on what personal data means for your company & it’s use, ownership, policies etc.
  • You don’t want to go out and fetch all personal data captured in internal (and sometimes external) systems upon each request. A master, which automatically collects all personal data (where all sources are federated) can be a single point of truth upon request, allowing for easy and up-to-date request handling.
  • This (MDM) master should not only collect the “personal data”, but also track it’s source(s), consumers, rectification logs,… & should also allow for monitoring & delete-initiation.
  • Your front end should be more than a call center or mailbox, it should preferably contain a service layer with predefined service request templates and automated request handling:

More details about the use of MDM, a front-end service layer, data governance & other information mgt. capabilities facilitating compliance will be provided in the December SAI session in Belgium.

 

Data protection and privacy as a service?

  • Ultimately, a lot of companies will face a tipping point where manual request handling is to be replaced with service enablement of requests.
  • Companies with a transparant & lean solution landscape, business processes driven way of working and a high maturity in information management have an easier task in the discovery of the ‘personal data’ information lifecycle and therefore their tipping point is higher.
  • Although a high tipping point will give companies an advantage in terms of speed of compliance, we still see a great deal of companies that will need to apply or gear up a number of fundamental information mgt. capabilities (Data Governance, Master Data Management, Data Quality, Data Security,…) to obtain sustainable compliance and avoid high operational costs & fines (100 MIO euro or up to 5% of global turnover).

Tipping point data privacy requests

More details about the use of MDM, a front-end service layer, data governance & other information mgt. capabilities facilitating compliance will be provided in the December SAI session in Belgium.

 

 

* exceptions to deletion and handling exist (e.g.: in healthcare).

** material is based upon the current draft guidelines, which are close to final approval (expected end 2014 or beginning of 2015).

 

Questions: contact Inpuls.eu @ info@inpuls.eu or +32 3 443 17 43

EU directive around data privacy and protection: impact on your company and timing.

,

Why this article?

The new EU data privacy and data protection directive might still seem like a distant compliance topic for the vast majority of companies. In this set of blog posts though, we ask ourselves if the ~2,5 year timeframe (estimated due date: end 2016) is indeed a long time for implementing and complying with this directive or if we should be vigilant in our approach and start looking into this already now? A recent call with a Gartner resource confirmed our hunch that mature companies (in information management) are putting this new directive high on their agenda already now.

What?

The directive concerns the processing, maintenance, storage, distribution and erasure of personal data by all enterprises that are involved with personal data of natural persons residing within the European Union. Personal data applies to any information relating to a data subject (natural person) both structured as well as unstructured data held in electronic & manual format. The directive also focusses on security and in particular on Personal data breaches. These Personal data breaches include accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

When?

The directive was already put up for vote at the EU parliament earlier this year and is expected to be signed by the member state ministers by the end of 2014 or beginning of 2015. It’s one of the top tech priorities for the current Italian EU Presidency as well as for the new EU commission president Mr. JC Juncker. Upon final approval, we estimate a default 2 year period to allow for companies & governmental bodies to prepare & comply.

Impact:

In this first article we will cover a high level overview the big impact area’s (MDM, Integration, BI, Organization, Communication,…) . Each main impact area will be detailed afterwards in a set of dedicated articles. (We will not necessarily cover all impact areas, nor will we refrain from specific details in the directive.  Furthermore we will not cover all potential exceptions as mentioned in the directive.) We will not necessarily cover all impact areas, nor will we refrain from specific details in the directive. Furthermore we will not cover all (potential) exceptions as mentioned in the directive. The goal is to provide a high level overview of the impact.

Org. impacts:

Besides the mandatory assignment of one or more Data Protection Officers, it’s clear that these people (in most cases) will not work alone. Coping with handling requests, internal audits, support in projects etc. will require a full team. The DPO and their staff will closely collaborate (from the start) with several other (Corporate) functions like: Legal office, Security office, Project office, (Enterprise and Solution architecture), Solution portfolio office, data governance & analytics organization and the BPM office & organization. Furthermore, in case of a data breach an on-call (and ready to act) support team must be able to respond to the authorities within 24 hrs. and to data subjects without delay. Standards, policies and procedures should be setup to accommodate for this.

Requesting data, updates & erasure:

A request process is to be put in place, with efficient request handling. Requests can be about the creation, update or deletion of personal data. Handling large volumes of data and large amounts of requests indicates the potential need of a data services approach (e.g. ESB enabled) and (potentially) a request reply mechanism, especially if we know that automatically processed data must be provided to the data subject in an electronic form, easily accessible & readable by the natural person. The use of data services (e.g. ESB enabled) can also be a good approach to keep track of sources & consumers of data. Tracking relevant integrations of personal data can facilitate the required proof with regards to the correct deletion & removal of data for both internally consumed data as well as data that was shared with 3th parties (right to erasure).

Data, documents and communications about natural person’s data:

The master data and documents, related to natural persons privacy & protection (e.g. proof of consent, age, language, consumers of the personal data, data categories,..) will be extended which means that a wide variety of new attributes & documents must be stored in a master and an enterprise content management solution (ECM). Besides a set of extra attributes and documents, certain data like race, ethnics, health etc. can no longer be kept (besides some exceptions). When communicating about these documents, the directive distinguishes between children and adults – both in giving consent as well as in actual communication about personal data requests, updates or deletes. Furthermore, operational paper and electronic documents like contracts, invoices, sales orders, etc. containing personal data should also be traceable, which means that they have to be (scanned & ) moved into an ECM solution as well.

Data quality

The better the data quality & accuracy, the fewer requests an organization will receive for rectification & completion of personal data records. High data quality & accuracy therefore directly lowers effort & costs. Furthermore, a data subject which is in doubt of the accuracy of his personal data can content the use of his personal data which directly impacts the ability to process the data. High data quality & accuracy therefore directly impacts the processing of personal data.

Profiling

Not only can a natural person object against profiling activities with his/her personal data, the controller also has to keep logs about actual profiling & measurement activities. This affects not only the (relatively small) domain of profiling, but also the full scope of IM in the company. After all, MDM, BI & advanced analytics all depend on some sort of profiling or data mining from time to time.

MDM:

The MDM solutions can and should play a key role in the implementation and maintenance of this directive. After all, data quality can be obtained at the source, and the better the accuracy is at the source (and their consumers) the higher the chance of being compliant. MDM, ECM & other source solutions will be considered (together with Integration) as the watch-towers of personal data, increasing the role and importance of these systems.

Operational compliance:

A company should be able to demonstrate the effectiveness of the operation of controls and governance, which encompasses e.g.: DQ metrics, measures of training and staff knowledge/awareness (part of DG),… This means a set of controls must be setup & maintained & integrated with operational processes.

Exceptions:

Exceptions will be handled as well, where we look into exceptions for health-care & patient’s health risks, as well as investigations and use of personal data for criminal investigations etc.

Data storage, architecture and design:

The minimal storage of personal data, combined with a predetermined architectural design, imposing minimal usage of personal data is not to be taken light. Especially for companies with existing reference architecture, some adaptations might be required. Architectural impacts should be considered not only during the next 2,5 years, but should already be imposed to any new service, project or architectural design. In a subsequent post we will include a high level roadmap, showing that (especially for mid-sized & large companies), the journey around this new directive has to start now (with Master Data Governance).

The Reference Data Digest

, , ,

Reference Data Digest.

Is a monthly newsletter that brings you details of recent changes to commonly managed reference data tables. This way data managers have a resource that relieves them of the need to monitor the external code tables for changes.

Reference Data Digest

From data tragedy to information strategy: Succeeding in the information age

, , ,

Evolving from automation to information centricity

The industrial revolution started of by automating the tasks of the workers in order to improve their efficiency and effectiveness. The same principle was applied when the first IT systems where introduced. Their main purpose was to automate a specific business process or activity and to improve the efficiency and effectiveness of this process or activity. The personal computer assisted calculations and document editing tasks and the ERP systems assisted specific resource planning activities.

Information exchange was often cumbersome and limited to an absolute minimum as the software solutions prime focus was the core task and not the integration or interfaces. A good example of this approach towards integration is the evolution of EDI protocols. Very few companies considered using integrated supply change EDI-item-grammar as their internal storage semantics. For most retailers the EDI is streamlined but then internally mapped to a multitude of different structures that support sales, logistics, marketing etc. This is clearly a missed opportunity for rationalising the complex landscape of the disparate applications.

Not only the information flow is hindered by this approach, as very often the ability to combine a set of activities into a consistent end-2-end workflow was not an objective of the technology solution. Another reason why chain processes such as Purchase to Pay or Order to Cash proves to be difficult.

The strong focus on the automation resulted in application silos that covered the needs of the business process but didn’t consider the consistency of information across the different silo’s. The latter was often not an issue as the companies have often functional silos that fail to recognise the underlying information objects.

As the ERP vendors have levelled the playing field in many industries. The efficiency of the automation is no longer sufficient to obtain a competitive advantage. The software becomes a commodity and people move to a reuse, buy and only then build model. Having efficient automated processes is therefor no longer a key differentiator in most industries.

The focus shifts towards effective and efficient chain processes such as O2C (order to cash), P2P (Purchase to Pay) and more importantly in the context of information management the fact that we can maximise the insight that can be obtained out of the data at hand.

This information centric approach has to battle the years of process focus that led to a data landscape that is primarily application driven. The result is islands of data that don’t align with the information boundaries. Duplication and inconsistencies are often the result. The answer to this challenge is the isolation of the information centric business functions and to expose these independent of any specific business process. The latter is exactly what the current wave of “Master Data Management” software solutions tries to achieve. They either solve the inconsistency issue through cleansing and transformation or they deliver the full set of create, update and delete services.

Even in an information centric model one can expect that a large portion of the business interaction will still be performed from a business process specific point of view: the purchasing department interacts with suppliers and the sales department deals with customers. Often a limited set of functions will understand that the underlying object being a legal entity or natural person is the object that is actually maintained. The true challenge is to identify the added value or risk involved when the link between the customer and supplier viewpoint is ignored by the organisation.

The building blocks for an information centric organisation

An information centric organisation can only be achieved if the data, regardless of it’s appearance, is managed as an asset.
You can’t simply buy technology to instate “information as an asset” as it will require that all stakeholders act according to the relevant information policies. You can’t achieve accuracy and trust if all steps in the information flow don’t provide the required consistency.

COMPLEX PROBLEMS DON’T NEED COMPLEX SOLUTIONS

Your business strategies suffer from poorly organised information

Proper information management and insights have become a linchpin that acts as a catalyst for the execution of your business strategies. Linking the information assets and the business strategy is the basis of your information strategy. If you can’t define the correlation between improved information management and better insight there won’t ever be a neither business case nor support for your initiative in the organisation. The value of information is very business domain specific as it always originates from the capability to use the information in support of a business function. There are many examples of business functions that benefit from increased information accuracy and trust. The role of the information strategy is to describe the cases where improvements will be beneficial and use this as the primary driver for the investment roadmap. Your Chief Data Officer can fulfil this function. An emerging role in many organisations as information was not necessarily recognised in the past. If it’s unclear how information could generate value you are likely missing the required innovation to make this happen. Rightfully the CDO often also has the mission to focus on innovative ways to monetize data or the increase the benefits obtained from the current data.

Your people underestimate the true value of information

The person creating the data is seldom the one that gets the most value out of it. A lack of common meaning results in broken End-2-End information chains, loss of value and business risk. Business process flows seldom correlate with information life-cycle flows. Not describing the information landscape results in a lack of understanding and lack of consistency in the accuracy requirements. The net result is total lack of trust and several remediation points and a poor operational efficiency.

The information architect would have to make sure we understand the in’s and out’s of the information flows and the relationship with the data stores. This landscape provides fundamental input to the information strategy as the architectural weaknesses become apparent.

Getting people to act according to the global information accuracy and trust objectives is very difficult is they are failing to see the whole picture. Often people don’t handle the information appropriately as there is no apparent need in the context of their own business process.

You lack insight in your current information health

“Think before you act.” The current maturity needs to be taken into account when implementing change. Your approach should be issue centric and is not just copying the book. There is no point in changing for the sake of changing. The baseline of data incidents, quality and general policy compliance is a fundamental starting point for every information strategy. Organisations have the tendency to compensate for their inefficiencies. A formal baseline that is linked to the business benefits is a superb instrument to make the business case visible. When linked to the proper business drivers it also allows monitoring the effectiveness of your information strategy.

Your information is manageable but not sustainable

Every datapoint that is kept is obviously liability. Deciding to maintain information should not be a decision that is taken lightly. Depending on the update frequency it might prove to be expensive of virtually impossible to keep your data consistent with reality. There has to be clear business value when maintaining data. Having the right process, tools and policies to deliver the right quality level is essential for information life-cycle management. Often information management initiatives fail, as the scoping is not done properly. Focus is put on irrelevant datapoints resulting in huge budgets and very late delivery of the benefits. The information strategy needs to focus on the information that can be maintained at a proper accuracy and trust level with a cost that is lower than the benefits. Proper scoping and understanding of the benefits and the information quality decay frequency is the key to a successful information strategy execution.

You only have a hammer

Technology evolves at an amazing speed. Get the time to market and get ROI by using the right tools for the job. What capabilities are you missing? Investing in the right information management capabilities is required to keep the information correct at an acceptable cost and also to drive the necessary innovation that will create the data insight and business value. You information strategy needs therefore a technology capability roadmap angle to achieve the effectiveness that yields business benefits.

The logic should however not be reversed. Assuming that technology is the way out of every information management problem often proves to be the wrong angle.

Jan will present the full information strategy methodology with practical examples and guidelines in the two day seminar “Defining and Executing Your Information Strategy” that is schedule on 25-26 September 2014 and 3-4 March 2015 in London.

Webinar: Getting Your Organisation from Information Poor to Information Driven, Jan Henderyckx

The data rich, information poor” statement applies to many organisations. Big Data, MDM, Reference Data Management, Information Quality, Information Governance, Analytics, Appliances, …. There are many trends and buzzwords in the industry today that all try to address the fundamental problem of strategy driven information management. It’s also very likely that you are able to put multiple ticks in the box for each of the hypes your company is jumping on the bandwagon. But are each of these initiatives working towards a common goal?
In this webinar, Jan Henderyckx takes you through a holistic information strategy framework that will allow your organisation to minimize information risks and maximize the value of one of your most fundamental assets.

  • Defining what information is business critical
  • What are the core elements that you need to execute your information strategy
  • Fundamental information capabilities and applicable patterns.

To view this webinar click here.