Rawpixel - Fotolia
Big data's surge has carried forward a shiny, new class of digitally born companies, among them Amazon, Facebook and Google. The breed of enterprise is best known for the way it harvests and packages data collected as part of user web activities.
This tech-infused business model is now coming under scrutiny, as the compliance deadline for the European Union's General Data Protection Regulation (GDPR) fast approaches. On May 25, the EU will start to enforce GDPR requirements for companies collecting or processing the data of people living in its 28 member countries. The regulation fully describes how companies can use that data, and they must be prepared to "forget" that data at the request of users.
GDPR requirements are partly driven by high-profile data breaches that have seen end users' data sucked up by prowling hackers. But there's more to it than that; it's a very European reaction to a Wild West style of business in which data monetization has become king. Elements of that style spread much further than Silicon Valley, however, as a wide range of companies started to gather web and other kinds of personal information on individuals. Just like the tech giants, they may find themselves in the crosshairs of GDPR.
And that's a good thing in the eyes of Daragh O Brien, the managing director of the Castlebridge information quality consultancy in Dublin. GDPR requirements will force companies to rethink the ethics of data handling, he explained, adding that GDPR reflects the European view that data is part of the person rather than a form of currency.
"All the things GDPR asks you to do are simply good information management practices," he said at a recent Enterprise Data Governance Online webinar. "They're not things designed to make you stop running your business. They simply require you to stop, think and implement appropriate means of governance."
What hath GDPR wrought?
Meanwhile, even companies that endorse the GDPR ethos admit there are challenges in implementation. "GDPR has a great spirit to it, but it certainly also has far-reaching business implications that I don't think the EU fully understands," said Jeff Smits, vice president of IT and business services at RingCentral, a Belmont, Calif., provider of cloud-based telephone, messaging and collaboration services to businesses.
Nonetheless, Smits is confident that everything will be in order at his company by next month's compliance deadline. "We're pretty far down the path at this point," he said. "We'll be ready."
Jeff Smitsvice president of IT and business services, RingCentral
Containing 10 chapters and some 99 articles, the GDPR is a complex standard. The regulation's articles of enforcement leave room for some interpretation. But it also details possible penalties for parties that fail to safeguard data privacy. In some ways, GDPR requirements are an update or restatement of the existing EU Data Protection Directive of 1995. Here are some important highlights of the newer directive:
- Article 17 spells out the "right to be forgotten" -- also known as the right of erasure. The article compels companies doing business in the EU to be prepared to locate the data they hold on individuals and scrub it from their records if requested by users.
- Article 32 outlines methods to use in pursuit of data processing security, including anonymizing and encrypting personal data to ensure a level of security "appropriate to the risk."
- Article 33 includes detailed requirements for handling data breaches. It sets 72 hours as the limit for alerting supervisory authorities of the breach. Individuals should be notified of such breaches without "undue delay."
- Article 37 calls for designation of a data protection officer (DPO). The requirement isn't altogether clear. Companies with large-scale data stores are to be covered by GDPR, and exactly what that means can vary according to interpretation. (See "Do you need to hire a data protection officer?")
Behind each article are possible EU penalties. Within companies, that has spurred high-level discussions rippling through their legal, security, data management, marketing and other departments at different rates in different industries and geographies.
Do you need to hire a data protection officer?
GDPR regulations specify that the DPO is necessary for companies that process data "on a large scale." But they offer no tangible definition of what constitutes large quantities of data, per se. If you are a Global 1000 company, however, it's better to be safe than sorry, Constellation Research analyst Cindy Zhou said.
"There's a lot of room for interpretation in GDPR," added J.R. Cunningham, vice president of product management at security services company Optiv Security. "If the framers of the regulation could have done anything differently, they would have done something similar to [Payment Card Industry] standards, where different levels are actually defined. We see companies that are very small who feel they have to have a DPO; meanwhile, others who are very large [are] getting legal opinions that say, 'No, we're good.'"
DPO positions "will start in large corporations and, over time, trickle down to become a key role in smaller organizations," consultant David Wells predicted. "Initially, I think those without a designated data privacy officer will make existing compliance and/or risk officers responsible for data privacy."
According to TechTarget's "2018 IT Priorities Survey," just 8% of North American IT professionals counted "planning for GDPR" among the broad initiatives their companies would implement this year, while a more strident 29% of their European counterparts cited planning for GDPR as a 2018 initiative.
Examining mistakes of the past
Are U.S. companies merely waiting to see if the EU or some consumer advocacy group goes after a high-profile player like Facebook first, before working out their GDPR compliance strategy? (See "Facebook may well be the proverbial canary in the GDPR mine.")
Cases of law may in fact help iron out the fine GDPR details, Optiv Security's Cunningham said. The reaction of U.S. companies to GDPR, he added, may be influenced by prior experiences; they had seen the mistakes of the past when companies attempted to comply with regulations that weren't completely understood.
"If we look at prior regulations, such as the [Payment Card Industry] standard, [Health Insurance Portability and Accountability Act] or Sarbanes-Oxley, one of the things that we have seen is that companies would race to become compliant, but they weren't taking care of their overall security program properly," Cunningham explained. "Let's not rush to just 'check boxes.' There's a lot left to be fleshed out."
GDPR requirements could spark renewed interest in and commitment to data governance, according to Wells. "GDPR is 'big noise' today, but, like all things, [it] will become just one more among many corporate and data management pressures," he said.
Facebook may well be the proverbial canary in the GDPR mine
Data governance is a long-running part of data management, but the practice is not so much associated with big data wunderkind Facebook. That company has long been a source of many of the EU's privacy concerns.
Those concerns exploded in the wake of news reports that data on millions of Facebook users was surreptitiously collected in the run-up to the 2016 U.S. presidential race at the behest of political analytics consulting company Cambridge Analytica. Only weeks before, Facebook leadership asserted that its house was in order when it came to shielding personal data.
"GDPR holds companies of all sizes to be accountable for how they use data," COO Sheryl Sandberg said at a February Facebook event in Brussels. "It's not just about social media; it's about every other business, as they all use data to improve their services. Privacy has always been important, but it's only going to get more important as more things that people do create data."
When it comes to GDPR readiness, many companies are not so confident. With the compliance deadline a year away last May, Gartner projected that 50% of affected companies would not achieve full compliance by the end of 2018. How well Facebook prepares for compliance could serve as an example for other U.S. companies that cater to European customers.
Software that can help in complying with GDPR includes data ingestion, data pipeline, data preparation, data analysis and data lake tools, Wells advised. Add to that list data security tools that mask, anonymize and scramble data.
Anonymizing technology is important among the tools used for overall data governance and GDPR-specific efforts at GlaxoSmithKline (GSK) PLC, according to Mark Ramsey, senior vice president and chief data officer at the London-based pharmaceutical giant. The company, which has worked to build and expand a centralized Hadoop data lake to make all kinds of data more readily available to various GSK departments, has dealt with data masking and anonymizing issues in the process.
To protect privacy, Ramsey said, governance should be applied at the point of data ingestion, when the data is first introduced into analytical systems, a step GSK is taking with software from StreamSets that can identify personal data as it's ingested. "We have automated the movement of data into the data lake," he explained. "We can discover data and anonymize or mask it at the same time we are moving that data."
He said the basic tenets of GDPR are not new to GSK, whose clinical studies have always required informed consent to use patient data. "GDPR is a next-generation combining of things," he surmised, "making sure people provide consent for use of their data."
Mark Ramseysenior vice president and chief data officer, GlaxoSmithKline
RingCentral's Smits said his company is creating a combination of manual, policy-based and automated processes to manage retention and deletion of personal data and respond to right-to-be-forgotten requests from EU residents. In some cases, the cloud communications company plans to obfuscate data to avoid skewing its operational records -- an approach that outside consultants blessed as "an adequate way to forget data," Smits noted.
RingCentral has deployed data governance software to track the new data management policies, where personal data is stored and other aspects of its GDPR program. In addition, it plans to use data integration tools from Talend to pull together personal data from a variety of systems as part of the compliance effort.
While the detailed effect of GDPR is hard to predict, the opportunity it presents to reset the big data ethos is worth emphasizing, according to Constellation Research analyst Steve Wilson. "If data is the new 'crude oil' as many people say, then we are going to see a host of new societal norms, rules and legislation in the next 10 to 20 years," he noted. "This will all be for the better. The Wild West days are coming to an end."
Craig Stedman, senior executive editor in TechTarget's Business Applications and Information Management Media Group, also contributed to this article.