Beginning May 25, 2018, the General Data Protection Regulation (GDPR) gives data privacy and protection rights to all citizens of the EU, a change that will affect any company doing business with EU citizens worldwide. Ken Krupa, Enterprise CTO for MarkLogic, says “I don’t think there’s been anything like this before on this scale.” He calls the implementation of GDPR “a mission-critical data integration problem.”
Krupa illustrates the magnitude of the effects of GDPR by asking his customers to imagine the multi-jurisdictional regulatory challenges they deal with now, “Where different regulators want different things, and that impacts the data flows throughout your enterprise.” His customers usually have no trouble visualizing this, so he continues: “With GDPR, this one regulation has effectively given some sort of regulatory power to 500 million-plus citizens [give or take a Brexit,] in the European Union,” meaning that any one of those citizens can have a say in what should and should not be done with their Personally Identifiable Information (PII).
“And it is incumbent upon you to find my specific data throughout the entire data life cycle and implement specific actions around what I tell you to do,” he said. “And then I could change my mind.”
The regulations allow up to 28 days to respond to some requests, “But if you think of the challenge associated with giving regulatory control to half a billion people, that’s a pretty daunting task.”
Implementation “is going to be a bumpy ride.” But, he’s hopeful that organizations will be inspired to take this opportunity to move beyond the regulations, to “just doing things the right way in the first place,” and then the regulations will become easy to follow, he said.
New Regulatory Focus on Outcomes
Krupa says that large organizations typically deal with regulations reactively. “It’s very much around ticking the boxes. It’s less about outcomes,” he said.
“The regulator is asking for this, so let me write a check, hire an army of people, maybe hire a systems integrator to produce the scaffolding needed to generate the reports needed for the regulators, and hopefully, that satisfies them until they change their mind.”
A change in regulatory climate is forcing organizations to focus on outcomes rather than the simple compliance checklist. “GDPR is absolutely one of those,” he said. The complexity of this shift to outcomes is increased when compliance is measured by the outcome for an individual within a specific set of guidelines “in the areas you are compelled to protect, and how you’re compelled to protect” them. “Or in the case of Article 17 [of the GDPR], the right to erasure, or the right to be forgotten,” just one of the many challenges that organizations have to face with respect to protecting data under GDPR.
Outcomes can be proved or disproved, “particularly when there is a data breach,” he said. In addition to fines that can be levied by EU regulatory bodies, class action suits are also a possibility.
“Imagine a privacy breach, how a class action suit can get compounded when it can be proven that there was negligence on the part of the business entity where they were in violation of say, Article 17.”
Despite the possibility of serious consequences for failing to respond to GDPR, Krupa sees this shift as an opportunity for data transformation to implement better risk management practices.
“There’s nothing like being forced into doing something – whether it comes from existential threats in the markets, like the global financial crisis, or a regulator that’s not going to waiver on their opinion, particularly if they have a population behind them.”
Krupa said of the shift to an outcome-based measurement, “It will help from an awareness perspective in creating the programs in the first place,” he said. Those who take the reactive ‘check-the-boxes’ approach to GDPR will fall short, but those who approach it as an opportunity for digital transformation are going to benefit.
“It’s not going to be executed perfectly: there are going to be some glaring failures out there, and when the first breach post-May 2018 happens, it will be interesting to see how many people avail themselves of some of the privacy laws, and whether their information has been compromised,” he said.
Compliance Starts with Database Management
Krupa says that although there are other solutions to help with compliance, MarkLogic takes a ‘data first’ approach. “There are a lot of things that need to be done differently at the database level – the database layer, to accomplish the things that GDPR needs to accomplish.” That starts with asking what your database management system can do differently and “changes the equation of everything at every layer above it. That’s the approach that we take at MarkLogic,” he said.
“Having a platform that handles data and metadata together and handles change – changes to the shapes of things as fluidly as it handles the data itself – that’s important.” He says it’s also important to remove friction from the process.
“If you are constrained by your database technology, where you can’t add whatever relevant information that you need to add to your data, without the pain of contacting a DBA or changing an ETL process, then something is intrinsically broken.”
Krupa says that the database should be able to protect the data and allow access to the right people without relying on external applications.
“When you think of all the privacy and security implications of something like GDPR, you want your database to be intrinsically aware of the fine level policy detail in place to protect your data. Why not put it there? That’s the place where the rubber meets the road.”
The Double-Edged Sword
Krupa believes that overall, the implementation of GDPR is going to help, “Because nobody can argue against the value of keeping somebody’s data private, particularly against bad actors, and that’s what we are worried about, right?” he said. “Some marketers, and those who get to monetize your data love the fact that they have your data, and love the fact that they can market to you specifically, but with that power comes responsibility.” The possibility of a lawsuit is greater now for companies that don’t implement an effective response, “So I think it’s a double-edged sword.”
If used strategically, a required response to outcome-based regulations can add value in other areas of the organization.
“If you could connect those dots and wire the operational processes together in a way that’s very agile, well, that’s what digital transformation requires, so the smart data strategists out there are looking at this as an opportunity,” he said. For example: “Knowledge of a specific individual’s data and being able to follow the breadcrumbs throughout the entire data life cycle, connecting the dots in a very contextual way – that’s essentially what a customer 360 is intended to do.”
The risk management changes required by GDPR can ultimately be a benefit, “Because it forces a budget, right? It’s a forcing factor, and it’s like, ‘Okay, what am I going to do with these dollars? Do I want these dollars to just be about meeting the requirement?’ And yes, there’s some tactical decisions that must be made particularly when there are deadlines,” he said.
“May 2018 is right around the corner, but are you going to spend all that budget just meeting tactical requirements and potentially fail, or are you going to say, ‘What can I do more smartly with my budget that can give me something more opportunistic?’”
Photo Credit: Ugis Riba/Shutterstock.com