I attended a conference by the Data Warehouse Institute (TDWI) last October. In one of the presentations, Gerald Hopkins talked about GDPR. It was the first time I had ever heard of it, and Gerald basically told us that if we were doing business in Europe and hadn’t started working on GDPR we should be worried. Which, as he intended, worried me.
GDPR stands for General Data Protection Regulation. It is a regulation that went into effect in Europe on May 25 of this year and it is considered to be the world’s strongest data protection regulation. Within GDPR there are:
- Rules that ensure a company is more transparent with you when you consent to let them use your data
- Rules to allow you easier access to the data that companies collect about you
- A requirement that you be able to require a company to delete your data when you ask them to
- A requirement that your data be deleted after a certain time period even if you didn’t ask
And because of this you almost never hear GDPR spoken of enthusiastically by companies. Finding and deleting a customer’s data is hard. And expensive. And time consuming.
After that October meeting, I started noticing a scramble from companies that do business in Europe. Now all of the data forums talk about GDPR, it was mentioned by just about every speaker at a CIO Event I went to this weekend, and it has consumed and changed roadmaps and plans for just about every global company I’ve spoken with. How do we know where customer data is stored across all of our technologies? How do we find it all? How do we delete it? What data do we need to delete? Do we have to delete it or mask it and when?
As an industry, we have spent years learning how to better collect and use customer data for analytics, operational reporting, marketing, etc. Vendors focused on selling us self-service tools that let us integrate our own data and avoid centralized data warehouses if we want to. Just about all big companies have created data lakes and file systems with huge amounts of raw data. We have an amazing variety of reporting and visualization tools that extract data to reporting servers or allow us to copy our reports into our own folders and modify them ourselves. And Microsoft Excel is still the most commonly used analytics tool. Data is everywhere.
Different generations have different attitudes about personal data. Millennials for example are much more comfortable with companies having and protecting their data. Older people in general are not. My mom is crazy careful about what she posts on her Facebook page both because she is a more private person but also because she worries about people knowing her business or a breach of her data. I have worked in data for many years and I am pretty comfortable with the way that companies use data, but I still sometimes get a bit creeped out when I search for a product on one site and then go into another application and see that the page knows what I searched for and is now targeting me.
But if a company collects data on you, is it still your data? Or is it the company’s data? Answering that question is difficult because in the end, it is both. The company needs your data to do business. But outside of their need to do business, should they be keeping and retaining your data? If you’re in the European Union, GDPR says that is your decision. GDPR says that you have the right to decide whether a company can keep your data and that you can control what that company does with your information (to a reasonable extent).
With the challenges and costs to companies it is easy to forget why the European Union implemented the regulation in the first place. In this day of self-service data tools and tools that help companies work with huge amounts of raw data, is it any wonder that governments want to help people protect themselves? When you truly think about it – the only thing surprising about GDPR is that it wasn’t done years ago. And it is just a matter of time before other countries enact similar legislation and follow Europe’s lead — India and other countries have already gotten started.
How has GDPR affected you?
While GDPR went live on May 25th, I still think there is a lot that needs to be ironed out in terms of clarifying impacted parties. In the meantime, it has provided organizations an opportunity to better manage their sometimes neglected inventory of people data and streamline processes and extend it beyond GDPR impacted data.
It is interesting how much it has increased the attention to data protection isn’t it? I would agree — it has brought a much better awareness to data storage and use…
European vendors/consultants must be jumping into this space to help US companies navigate – is that a developing area of business?