In our last article we provided an overview of the upcoming strict EU directive on data privacy & data protection and how companies will be affected.

Companies dealing with EU citizen data will need to deal with different types of requests, both from EU citizens as well as from local authorities.

In certain industries, in case of a data breach or when a company is under suspicion by the public or authorities, these requests can mount to very large numbers and often they’re not easy to respond to and very time-consuming.

Seen the potential width and scale of these requests it’s worth wile to already now consider a service offering as part of the path to compliance.

The ability to ensure privacy & protection of person data is becoming

a crucial differentiator for companies and their customers.

The following describes some of the requests a company might get as part of the new EU directive on data privacy & data protection and how a service approach can provide a sustainable solution**:

Who has to deal with these requests?

• Any company handling EU citizen data of over 5000 unique EU natural persons (per year), any public authority from within the EU, any company that’s monitoring EU natural person data as it’s core business or any company that’s processing sensitive personal data (children’s data, location, health records,…).

• – In most large companies the Data Protection Officer (DPO) will/should be in charge, and most of the time his/her office will be the ultimate responsible for the request handling.

 

What type of requests can companies get?

• Different formats:
  • Paper requests
  • Electronic requests – these must be answered in an electronic form and format, comprehensible for the requester.

• Requests of a natural person…:*
  • to obtain a copy of all his/her personal data and/or all data that allows the company to identify him/her as a person.
  • for rectification of bad quality personal data (e.g. a duplicates, wrong spelling, wrong address, … ) or of personal data in doubt. Bad quality data or data in doubt can prevent a company from using that personal data until proven otherwise.
  • for the deletion (hard) of personal data.
  • to get insights into the usage of his personal data (e.g.: in marketing campaigns, for profiling activities, …).
  • to provide information about a data breach involving his/her data.
  • to upload his/her personal information obtained from another company (e.g.: call behaviour or transaction history when converting from one telco or bank to another).
  • …

• Requests from local authorities:
  • about number of requests from natural persons and the ability to handle them within 1 (max 2) months,
  • requesting cause, impact, communication & remediation of a data breach.
  • …

• … upon a data breach, an entirely separated (service) process should be initiated. This can be compared to a typical incident process with high priority incident handling requiring max attention & emergency procedures.

 

What do you mean “It’s about more than stored data”?

• Besides the actual data, a company will also need to track & be able to provide proof of the use of personal data (use of archived data, use of data for (advanced) analytics & data mining, rectifications of bad quality data…).

• Furthermore, it’s not just about structured personal data, but also about unstructured personal data (documents, pictures, video’s, e-mails…).

 

How to avoid assigning a massive workforce to data privacy & protection?

• Especially for large companies the advice is to start now (or at least beginning of 2015) with an analysis and a data governance exercise on what personal data means for your company & it’s use, ownership, policies etc.

• You don’t want to go out and fetch all personal data captured in internal (and sometimes external) systems upon each request. A master, which automatically collects all personal data (where all sources are federated) can be a single point of truth upon request, allowing for easy and up-to-date request handling.

• This (MDM) master should not only collect the “personal data”, but also track it’s source(s), consumers, rectification logs,… & should also allow for monitoring & delete-initiation.

• Your front end should be more than a call center or mailbox, it should preferably contain a service layer with predefined service request templates and automated request handling:

More details about the use of MDM, a front-end service layer, data governance & other information mgt. capabilities facilitating compliance will be provided in the December SAI session in Belgium.

 

Data protection and privacy as a service?

• Ultimately, a lot of companies will face a tipping point where manual request handling is to be replaced with service enablement of requests.

• Companies with a transparant & lean solution landscape, business processes driven way of working and a high maturity in information management have an easier task in the discovery of the ‘personal data’ information lifecycle and therefore their tipping point is higher.

• Although a high tipping point will give companies an advantage in terms of speed of compliance, we still see a great deal of companies that will need to apply or gear up a number of fundamental information mgt. capabilities (Data Governance, Master Data Management, Data Quality, Data Security,…) to obtain sustainable compliance and avoid high operational costs & fines (100 MIO euro or up to 5% of global turnover).

More details about the use of MDM, a front-end service layer, data governance & other information mgt. capabilities facilitating compliance will be provided in the December SAI session in Belgium.

 

 

* exceptions to deletion and handling exist (e.g.: in healthcare).

** material is based upon the current draft guidelines, which are close to final approval (expected end 2014 or beginning of 2015).

 

Questions: contact Inpuls.eu @ info@inpuls.eu or +32 3 443 17 43