GDPR compliance: We need to comply but where to begin?
When it comes to the EU General Data Protection Regulation (GDPR), businesses know they need to comply, but aren’t sure where to begin (or don’t think it’s time to start yet).
The GDPR will be officially enforced beginning on May 25, 2018, and while it’s still over a year away, now is the time to get started. Not only should systems and processes to support GDPR changes ideally be in place well before this deadline, but regulations aside, it’s good practice to put data governance measures in place as soon as possible if they don’t already exist, says Florian Douetteau is co-founder and CEO of Dataiku.
The big picture
Taking a quick step back for those who haven’t been paying attention to the latest on GDPR, some of the most important components, put very briefly, are:
- Application: The GDPR applies to any company (regardless of their location, size, and sector) processing the personal data of people residing in the EU. This means even businesses in the United Kingdom dealing with the uncertainty of Brexit will likely have to comply anyway if they have customers in the EU. And even for businesses strictly limited to the UK, note that the UK government has indicated it will implement an equivalent or alternative legal mechanisms that will be largely similar to GDPR.
- Responsibility: Under GDPR, both data controllers and processors must comply with the legislation.
- Data subjects’ rights: EU data subjects will have expanded rights when it comes to data protection, including the right to be forgotten, to access data about them, and to question decisions made purely on an algorithmic basis.
- Internal record-keeping requirements: Depending on the nature of the organisation, this may also include the appointment of a specific Data Protection Officer (DPO).
Key challenges and resolutions
The GDPR brings about several major challenges that businesses will need to address before the enforcement deadline.
The most daunting of these challenges surround data governance, organisational structure, and cross-team collaboration, including:
- Determining where personal data is stored across potentially multiple different siloed data sources. This can be addressed by centralising access to all data (no matter where it’s stored) to one location. There are plenty of tools out there that can easily provide this type of governance and connect to multiple data sources, centralising access to all data (including personal and sensitive data) for the entire organisation.
- Aligning everyone across the company (including IT, marketing, customer support, and data teams) on new policies and execution of any changes. Data science platforms can also help facilitate the alignment of teams around a common goal of compliance. When everyone is working with data in the same space, team leaders can keep an eye out, and any violations can immediately be raised and resolved before they expose the company to liability.
- Putting processes in place to accommodate requests from data subjects and ensuring all teams can execute on processes in a timely matter. Instituting a central environment where customer teams can self-serve and provide the information for the customer without having to ask the data team will likely be the most efficient method. Logged access so that it’s very clear who fulfilled these requests and when should questions (or an audit) arise is a key consideration for the central environment being used. Robust data science platforms allow the flexibility of using black box or interpretable models depending on the use case, and for the latter, any requests for justification of decisions decided by an algorithm will be simple to field.
- Ensuring proper data governance, security, and monitoring are in place in case of audit. If you’ve addressed the previous challenges, you’ve already gotten started: by centralising all data work into one place, data governance and potential audits are easy. Security can be tightly controlled via a data science platform, eliminating the risk of rogue personal data floating around on employees’ laptops on local spreadsheets.
What are you waiting for?
These challenges only scratch the surface when it comes to the changes your organisation might need to make in order to comply with the new GDPR. But centralising and standardising data practices by choosing a data science platform that addresses many components of the regulations in one fell swoop is a great place to start.
And getting started in GDPR compliance doesn’t have to be just something to check off your list – take advantage of the opportunity to streamline your big data strategy and not only meet regulatory requirements, but empower teams across the organisation working with data to become more efficient and scalable.
The author of this blog is Florian Douetteau is co-founder and CEO of Dataiku
About the author:
Florian Douetteau is co-founder and CEO of Dataiku, the maker of the all-in-one data science software platform Dataiku Data Science Studio (DSS), a unique advanced analytics software solution that enables companies to build and deliver their own data products more efficiently.