04-10-2015 Door: Christoph Balduck

Data privacy & protection as a service?

Deel dit bericht

In our last article we provided an overview of the upcoming strict EU directive on data privacy & data protection and how companies will be affected.

Companies dealing with EU citizen data will need to deal with different types of requests, both from EU citizens as well as from local authorities. In certain industries, in case of a data breach or when a company is under suspicion by the public or authorities, these requests can mount to very large numbers and often they?re not easy to respond to and very time-consuming.

Seen the potential width and scale of these requests it?s worth wile to already now consider a service offering as part of the path to compliance.

The ability to ensure privacy & protection of person data is becoming a crucial differentiator for companies and their customers.

The following describes some of the requests a company might get as part of the new EU directive on data privacy & data protection and how a service approach can provide a sustainable solution**:

Who has to deal with these requests?

  • Any company handling EU citizen data of over 5000 unique EU natural persons (per year), any public authority from within the EU, any company that?s monitoring EU natural person data as it?s core business or any company that?s processing sensitive personal data (children?s data, location, health records,?).
  • In most large companies the Data Protection Officer (DPO) will/should be in charge, and most of the time his/her office will be the ultimate responsible for the request handling.

How to avoid assigning a massive workforce to data privacy & protection?

  • Especially for large companies the advice is to start now with an analysis and a data governance exercise on what personal data means for your company & it?s use, ownership, policies etc.
  • You don?t want to go out and fetch all personal data captured in internal (and sometimes external) systems upon each request. A master, which automatically collects all personal data (where all sources are federated) can be a single point of truth upon request, allowing for easy and up-to-date request handling.
  • This (MDM) master should not only collect the ?personal data?, but also track it?s source(s), consumers, rectification logs,? & should also allow for monitoring & delete-initiation.
  • Your front end should be more than a call center or mailbox, it should preferably contain a service layer with predefined service request templates and automated request handling

Data protection and privacy as a service?

  • Ultimately, a lot of companies will face a tipping point where manual request handling is to be replaced with service enablement of requests.
  • Companies with a transparant & lean solution landscape, business processes driven way of working and a high maturity in information management have an easier task in the discovery of the ?personal data? information lifecycle and therefore their tipping point is higher.
  • Although a high tipping point will give companies an advantage in terms of speed of compliance, we still see a great deal of companies that will need to apply or gear up a number of fundamental information mgt. capabilities (Data Governance, Master Data Management, Data Quality, Data Security,?) to obtain sustainable compliance and avoid high operational costs & fines (100 MIO euro or up to 5% of global turnover).


* exceptions to deletion and handling exist (e.g.: in healthcare).

** material is based upon the current draft guidelines, which are close to final approval (of end 2014 or beginning of 2015).

Christoph Balduck

Christoph Balduck is sinds 2001 werkzaam in IT en vanaf 2007 werkzaam in het gebied van information management. Initieel vervulde Christoph een breed aantal technische en functionele rollen in SAP, waarna hij zich toelegde op de CRM toepassingen om zich vanaf 2007 toe te leggen op informatie- en datamanagement.

Christoph is senior practitioner gespecialiseerd in Data privacy en data protection, Master Data Management, Information & Data Governance, Data Quality, Information Strategy en Information architecture. Voorts is Christoph gecertificeerd als EU Data Protection Officer. Momenteel werkt Christoph als hoofd Data Management van de Ageas Groep waar hij zich o.a. bezig houdt met Data Privacy en data protection, maar ook met informatie strategie en data- en informatie governance, master- en reference data management, informatiearchitectuur (als deel van business- en enterprise architectuur), data kwaliteit en metadata management. Christoph is lid van DAMA Belux en van de General Council van de Data Quality Association.


Alle blogs van deze auteur