The General Data Protection Regulation (GDPR) comes into force on the 25th May 2018. Organisations need to take steps now to ensure they are capturing, integrating, certifying monitoring and protecting their data to ensure GDPR compliance.
Businesses in Singapore will be the most affected in Southeast Asia. Singapore is the EU’s largest commercial partner in ASEAN. The GDPR is similar to Singapore’s PDPA (Personal Data Protection Act), and compliance is a significant challenge. Enterprises have typically compartmentalised data in application silos that are spread across different systems from legacy mainframes to storage systems and even the cloud. According to EY’s Global Forensic Data Analytics Survey 2018, only 12% respondents in Asia-Pacific have a compliance plan that addresses the GDPR, with only 10% of the respondent in Singapore have a GDPR compliance plan in place.
The Challenges of GDPR
The GDPR has a broad definition of data privacy. It places far-reaching responsibilities on organisations to impose a specific ‘privacy by design’ requirement and expands the need to implement appropriate technical and organisational measures to ensure data privacy and data protection is no longer an after-thought.
The emergence and growing prevalence of the Internet of Things (IoT) exacerbates these issues. At the heart of IoT is the concept of the always-connected customer. Businesses are looking to generate and capture large volumes of data about customer preferences and behaviours to drive a competitive edge.
Even though much of this data is related to products, rather than data subjects, it still has the potential to impact privacy. Information provided by a connected car, for example, is likely to affect the privacy of the car owner if his ownership of that vehicle is known, even if the data itself is not specifically linked to him. Retailers of connected products are aware that once a product is under a customer’s hands, all data broadcast through their product could be qualified as personal data, which means that they need to apply privacy by design principles together with all their suppliers involved in gathering, storing, and processing the data.
Another big challenge organisations face is knowing both where all of the private, sensitive data within their organisation resides and who is responsible for taking care of it. Many businesses are unclear about this because their data is siloed in different department sales, marketing, finance, services, etc., and that is an increasing concern under the new, more rigorous GDPR stipulations.
Under GDPR, the data controller must respond to subject access requests within a month, with the possibility of extending this period for particularly complex requests. This is typically more stringent than existing regulations. Under the UK’s Data Protection Act, for example, the response time is 40 days. In addition, the rights for data subjects are not restricted to data access: GDPR also mandates the right for rectification, the right for erasure (also known as the right to be forgotten), the right to restrict data processing, the right to object data processing, or the right to not be evaluated based on automated processing. All those rights have significant impact on the data management practices.
Steps to mitigate impact of GDPR
So given the issues outlined above, Asian organisations should start by carrying out an inventory of data so that they at least know exactly what they have and where it is located. Once a clear map of the data has been developed, companies will be better placed to start assigning responsibility for looking after it. That’s in a sense the minimum requirement. However, this can then start to act as the foundation for establishing a stronger data governance policy which is a key element of what GDPR requires.
Closely linked to data governance is the issue of data quality – an especially pressing concern when organisations are building out their IoT capability. That’s because the desire to keep costs down in the IoT world often means that organisations are forced to work with low-quality networks and data quality may suffer as a result.
In the context of GDPR, data quality and harmonisation can be a critical concern, particularly if it makes it difficult for the organisation to achieve ‘a single view’ of the customer – something which is mandated by the regulation. One of the most significant data quality issues in this context derives from the business keeping separate siloed pools of data which are not readily integrated. Take the scenario where the business knows a customer partly through IoT and partly through its marketing applications.
If the customer then wants to know what private data the business has on him and the organisation ends up just revealing a fraction of that data due to these separate data pools, then it is ultimately the organisation’s responsibility that a full set of data has not been provided. That, in turn, is likely to be a breach of GDPR. It’s a stark warning that to comply organisations effectively need to reconcile the information they get from different parts of their organisation, including IoT.