The rapid technological evolution that we are witnessing today, together with globalization, has led to the need to develop a new Regulation that introduces changes on the protection of individuals with regard to the processing of Personal Data, imposing new obligations on citizens and companies.
Thus, after four years of debate and preparation, the European Data Protection Regulation (GDPR) was finally approved by the European Parliament and enters into force on May 25, 2018, at which time all not in compliance will be be penalized.
Thus, the GDPR is replacing the Data Protection Directive 95/46/EC, which was designed to address the need for uniformity of laws at European level, as well as to respond to a greater demand and purpose, but equally important, to hold entities accountable for collecting, processing and storing personal data.
There are new challenges in data protection with the entry into force of the new general regulation.
What business processes use data covered by the regulation? What are the operating and analytical systems where these data reside? What is the information life cycle? What are the transformation processes applied to this data? Who accesses the information in each of the systems? These are some of the issues that companies should be concerned to respond to in order to structure their way to this regularization. Typically, an organization's analytical data is used to, among other things, make operational and strategic decisions, report to regulators, discover market trends, or predict future events based on past behavior. We can thus understand that much of this data is from the organization itself, such as data on all the actions performed by its customers (orders, payments, among others), but also enriched by information from external suppliers such as macro trends indicators market, or to predict future events based on past behavior. We can thus understand that a great part of this data belongs to the organization itself, such as data related to all actions carried out by its customers (orders, payments, among others), but also enriched by information from external suppliers as the relative macro indicators to the market where the organization operates, allowing it to compare its performance with that of its peers.
These analytical data are usually available in Data Warehouses or in Data Lakes, and are consumed through analytical tools, but there are still many organizations where this is not a reality, these are residing in Excel files, where the control of access to information is not so effective. In this way, getting this control is the way for an organization to comply with the new regulation, but it will always be an option that tries to remedy a situation that, for all intents and purposes, should not occur from the outset.
Contrary to a Customer Relationship Management (CRM) system, in which it is necessary to know customers/potential customers uniquely, namely names, contacts and addresses, and to develop campaigns, analytical systems do not need this information.
In this way, organizations can follow several paths towards compliance with the regulation within the analytical systems. However, both typical analysis and analysis using advanced techniques (neural networks, cluster analysis, semantic analysis) do not require data that uniquely identifies a person. No taxpayer names or numbers are needed for this type of analysis, what really matters is to know characteristics such as the gender, the age group, or the parish where the client lives.
However, these issues are never simple and we may be faced with situations where analytical systems provide data to CRM systems/operating systems. As an example, after segmenting customers where we find that 5% are at risk of giving up contracted services, the organization may want to develop specific campaigns for these clients, and for that, it is mandatory to know them.
It is therefore essential for organizations to adapt to the GDPR and indeed there is a number of revenue to be applied to ensure compatibility with the Regulation, and there is no single solution applicable to all organizations. Each case is a case, and each company must find the best way to match the analytical systems of organizations with this regulation.
It is now up to each to assess which is best suited to their situation.
Opinion article published in media Exame Informática - September 25, 2017