GDPR: Why Centralized Data Is So Vital

Data privacy is a huge concern for any organization that manages sensitive information. With the EU’s General Data Protection Regulation (GDPR) mandate, handling personal data is more important than ever.

In this article, we’ll discuss what the GDPR is, why centralizing your customer data is so important, and some options to consider for centralizing your customer data.

 

GDPR Overview

In April 2016, The European General Data Protection Regulation, or GDPR, declared that “Natural persons should have control of their personal data.” To many cybersecurity experts, the policy announcement by the 28 member states constituted the most important change in data privacy in more than 20 years.

What this means is that by May 25, 2018, EU citizens will have the power to request the destruction or receipt of their personal data. All companies, big and small, must abide by the new law with “undue delay and at the latest within one month.”

The GDPR has global implications. For instance, even companies outside the EU that process data are subject to EU regulation. EU citizens can also include temporary residents, and even those on vacation.

gdpr-implementation-plan 

GDPR Compliance Penalties

Failure to comply with legislation could result in a fine of up to 4% of your company’s gross global revenue, or €20 Million Euros, whichever happens to be greater per breach. According to IBM and The Ponemon Institute, the average cost per record in 2017 of a data breach — without fines imposed by the GDPR — was $141. In the last year alone, 2 billion records were compromised.

As if these stakes weren’t high enough, in the most extreme cases, cyber-crime could  result in criminal charges for its victims.

 

GDPR & Business

The GDPR impacts any organization that exports data from the EU or holds records about any EU citizen. Forms of identification may be direct or indirect. For example:

  • Legal names
  • IP address
  • Cookie IDs
  • Mobile device IDs
  • RFID tags
  • Email addresses
  • Phone numbers
  • Among other marketing, sales, and advertising data.

Under the GDPR, consumers own the power to request the erasure, extraction, or transfer their data to another service provider. The new policy grants them the right to know when their data has been hacked or compromised, report infractions anytime, and the right to “be forgotten”.

 

GDPR and Marketers

To minimize risks, marketers will need to bake privacy and data protection in from the outset. You will need to do all four of these things:

  1. Tell leads why you collect data.
  2. Assure customers that they control their data.
  3. Alter the design of how you collect their data.
  4. Document that you have to prove you have done so.

 

Consent

Customers must give “clear and affirmative consent” for any of their data to be used, stored or processed. (Persons under 16 years old cannot give consent without a parent or legal guardian.).

Your marketing campaigns should garner trust. So be sure to write copy that is direct and concise.

GDPR-Consent-Form

Photo credit: ICO 

GDPR and Joint Liability

On the backend, personal data must be even more carefully curated under the GDPR. Online advertisers should be especially vigilant, as the policy enforces joint liability and ad exchanges freely share data about website visitors. An ad exchange may pass user identifiers, URLs, IP addresses, browser metadata, system details, and so on. If hundreds of prospective advertisers, this personal data can leak quickly across content delivery networks (CDNs) to ad servers and bidders.   

Data-LeaksPhoto credit: PageFair

Centralizing Customer Data for GDPR

The GDPR will render personal data scarcer and thus more valuable. Storing customer data, however legitimately acquired, also puts its curators at risk, because under GDPR you must own an exhaustive inventory of:

  • What data you hold
  • Where it is
  • Why you collected it
  • Which rights and modifications are attached to it when it must be deleted
  • With whom you have shared that data
  • Where it has traveled; by what means, under which conditions

You must be able to respond quickly and accurately to every consumer request to learn about the data that you have, to change it, retrieve, transfer it, or remove it entirely. You will also need a detection system in place.

Since data must be secure across all applications and systems, companies cannot afford to silo data among so many repositories and processes. The stakes are too high.

If unified data layer, a location where personal data can be easily found, secured, shared, and deployed, is what’s needed most, storing your data in a central data warehouse is a no-brainer.

  • Act fast in the event of a breach;
  • Enforce uniform security controls across multiple targets;
  • Reduce the chances of administrative errors on individual targets;
  • And leverage the best practices across your enterprise.

Centralizing data entails Transparent Data Encryption, or TDE. This two-tier encryption key management can be centrally controlled and managed to:

  • Suspend access
  • Render encrypted data unintelligible in the event of a data breach
  • Monitor suspicious activity.

Burden or Opportunity

The GDPR is a great opportunity to get your data privacy and cloud content in order. To make sure you are ready, we have assembled a checklist for whether your organization is ready for GDPR.

Do you ask for permission to collect data?

Acknowledge data belong to your customers, not to you or anyone else. Then tell customers, in simple language, what you plan to do with that data, and render your messages visible rather than hidden.

privacy-policy-screenshot

If asked, could you immediately return and easily delete customer data?

Good documentation and a mapping of your joint liability with second and third parties in advance are essential to obliging customer requests to return or delete data. Improve your knowledge base wherever you can.

Have you practiced contingencies and educated your employees?

According to ICO statistics, human error causes 93 percent of data breaches. So be sure to train your IT staff and marketing teams on:

  • How to return or erase sensitive data upon request
  • How to notify customers about a breach;
  • What the messaging for such a notification will be;
  • What personal data you hold;
  • Where the data originate from;
  • Which attack vectors are most vulnerable in your databases;
  • Who can access which records;
  • And with whom you share personal data.

Prior to training, complete a data flow audit of mechanisms you have in place to limit access.

Do you let customers opt out of sharing data?

While you may say “We will not use data for other purposes before first asking for your permission first”, the GDPR gives people the “right to object”, or refuse data collection.

Are you being proactive?

Ask whether you have a privacy policy built into your workflows, replete with maps and mappings. Plan to launch a Trust Center. Write white papers, blog posts, and press releases that prove your poise and authoritative mettle. Including GDPR compliance in your cloud service contractual commitments will assure your customers that they can download a copy of their data at any time and for any reason, without any assistance from you.

Do you know if your partners and vendors are in compliance?

If you purchase data from 3rd parties, check that the data you purchase is compliant. Article 25 of the GDPR stipulates that if you are sharing data between other vendors, you need compliant contracts, based on what the GDPR defines.

Should you hire a specialist?

Bigger companies invest in a Data Protection Officer (DPO) certified in monitoring internal compliance. A DPO helps builds trust within and organization, and is good for PR.

What will your messaging be?

Media coverage about fines, security breaches, or penalties can hurt business, strain your confidentiality with partners, and damage your relationship with investors, past present and future.

No news is good news. But should your organization suffer a breach, you have 72 hours to report the compromised data (Equifax delayed six weeks). If your business is just breaking even, to owe 4% of your turnover could be catastrophic to ROI. Where business is concerned, guard your reputation at all costs.

Do I need to inventory all the systems where my customer data reside?

You need a record, not an inventory. Under Article 30 of the GDPR, each controller must maintain a record of their organization’s processing activities internally. Should supervisory authorities request these records, you must make them available on-demand.

The map would enumerate for all your data -- marketing, sales, support, website CMS, finance, etc. -- a record

  • The personal data you store
  • Where that data resides
  • What subjects the data pertains to (service users, donors, staff etc)
  • What you do with the data
  • How you process it
  • How and when you got the data
  • When you use it and for what end (is it necessary?)
  • Who can access the data and what can they do with it once they do
  • How long you store the data
  • Whether the data are encrypted
  • Who you share the data with
  • Countries you transfer data to
  • How data gets deleted

Options for Your Customer Data

When considering how to centralize your customer data, you have several options.

  • A centralized system for the management of all customer data -- which may be impractical given the number of systems storing customer data.
  • Inventory & access across all systems that house customer data -- which is often difficult to implement, manage, and maintain.
  • A centralized data warehouse -- connecting all your applications which house customer data still lets you access customer data, while not disrupting day to day users of applications.  

Next Steps:

Our Fusion product helps you centralize your customer data, a key element of GDPR compliance.

Try Fusion for free to see for yourself, or learn more here.