Data privacy & protection as a service?

In our last article we provided an overview of the upcoming strict EU directive on data privacy & data protection and how companies will be affected.

Companies dealing with EU citizen data will need to deal with different types of requests, both from EU citizens as well as from local authorities. In certain industries, in case of a data breach or when a company is under suspicion by the public or authorities, these requests can mount to very large numbers and often they?re not easy to respond to and very time-consuming.

Seen the potential width and scale of these requests it?s worth wile to already now consider a service offering as part of the path to compliance.

The ability to ensure privacy & protection of person data is becoming a crucial differentiator for companies and their customers.

The following describes some of the requests a company might get as part of the new EU directive on data privacy & data protection and how a service approach can provide a sustainable solution**:

Who has to deal with these requests?

• Any company handling EU citizen data of over 5000 unique EU natural persons (per year), any public authority from within the EU, any company that?s monitoring EU natural person data as it?s core business or any company that?s processing sensitive personal data (children?s data, location, health records,?).

• In most large companies the Data Protection Officer (DPO) will/should be in charge, and most of the time his/her office will be the ultimate responsible for the request handling.

How to avoid assigning a massive workforce to data privacy & protection?

• Especially for large companies the advice is to start now with an analysis and a data governance exercise on what personal data means for your company & it?s use, ownership, policies etc.

• You don?t want to go out and fetch all personal data captured in internal (and sometimes external) systems upon each request. A master, which automatically collects all personal data (where all sources are federated) can be a single point of truth upon request, allowing for easy and up-to-date request handling.

• This (MDM) master should not only collect the ?personal data?, but also track it?s source(s), consumers, rectification logs,? & should also allow for monitoring & delete-initiation.

• Your front end should be more than a call center or mailbox, it should preferably contain a service layer with predefined service request templates and automated request handling

Data protection and privacy as a service?

• Ultimately, a lot of companies will face a tipping point where manual request handling is to be replaced with service enablement of requests.
• Companies with a transparant & lean solution landscape, business processes driven way of working and a high maturity in information management have an easier task in the discovery of the ?personal data? information lifecycle and therefore their tipping point is higher.
• Although a high tipping point will give companies an advantage in terms of speed of compliance, we still see a great deal of companies that will need to apply or gear up a number of fundamental information mgt. capabilities (Data Governance, Master Data Management, Data Quality, Data Security,?) to obtain sustainable compliance and avoid high operational costs & fines (100 MIO euro or up to 5% of global turnover).

* exceptions to deletion and handling exist (e.g.: in healthcare).

** material is based upon the current draft guidelines, which are close to final approval (of end 2014 or beginning of 2015).