Fixing Data Governance For GDPR Compliance

By Ram Narasimhan, Global Executive Director, Xebia­ AI and BigdataRam brings two decades of extensive experience on Technological Administration and Enterprise Business Formulation spanning global IT experience with proven success in Business Management, Big Data & Analytics, Data Science, Artificial Intelligence, Technology Consulting, Data Architecture, Product Engineering and Cloud Computing.

General Data Protection Regulation (GDPR) is a new regulation that was implemented on 25 May 2018. The legislation intends to unify and strengthen data protection for individuals residing within the EU. Irrespective of where in the world a company is located, if they do business with European Union residents, the GDPR applies.

Companies globally are working hard to comply to GDPR, as penalties for non-compliance can be very high.

GDPR could have impacts such as: Increased need to review and change organizational processes, applications and systems; Implement more stringent privacy and security requirements; Potential fines of up to 4 percent of annual turnover; Addressing GDPR, to address GDPR compliance within an organization, various aspects need to be looked at, including HR, legal, IT, marketing, and more; Effective security controls need to be implemented with the right technology to: Mitigate risk, Address legal requirements, Enable digital transformation, Improve competitive advantages; GDPR includes crucial requirements that impact directly on how an organization implements IT security; To secure and protect personal data, it is required to: Be aware of the risks, Know where data is located, Integrate security into the IT infrastructure, Review and change existing applications where required.

It is not possible to simply buy a product that is GDPR compliant and leave it at that. GDPR is all about managing risk and security processes. This means that the challenges can't be solved by a specific product. To be truly GDPR compliant, an organization needs to ensure that all their solutions work together properly.

To ensure that you are GDPR compliant, the four steps described below can be followed.

1. Discovery
It is critical that the organization be able to monitor, enforce, and report on GDPR compliance. To do this, the organization needs to know how data comes in, what is done with it, and how it leaves the organization.

To achieve this, data governance that delivers capabilities including data lineage, asset inventory, and data discovery is needed. The more data is reused without suitable data governance, the bigger the risk of mishaps occurring with data handling. Tools to assist with data governance should therefore be chosen wisely.

2. Enrichment
Application may need to be modified to comply with data subjects' rights (people whose data is handled). As personal information can come into the organization in many types and
formats, and can be stored in numerous locations and held in different forms such as videos, text and voice recordings, this can be a major challenge.

Individuals may also request all their own information. It must there-fore be possible to automate and handle a potentially huge number of re-quests dynamically. Data must also be able to be deleted as per GDPR's `right to be forgotten'.

To achieve all this, an organization may have to consolidate its customer data to obtain a single view of all data subjects across the entire organization. If it is not possible for an organization to identify individual's personal information from its data sets, this could be an indication that the appropriate controls over personal information is not in place, which could raise red flags for regulators.

It is critical that the organization be able to monitor, enforce, and report on GDPR compliance

3. Foundation
IT security focusing on performance and availability of services is also a requirement. The reason for this is because it's impossible to predict when systems will be required to pull data, and how much at the same time. Re-storing access to personal data and availability in a timely manner will also be required when a technical or physical incident has occurred.

Encryption will be more import-ant than ever before. Detailed application-to-storage mapping will ensure that any application is mapped to the physical storage it resides on.

4. Enforcement
Technologies that can protect systems, software and people will also be need-ed. This includes services and products that provide security controls that can predict, prevent, detect and respond across database access management, identity and security systems.

People mistakenly believe that GDPR lists specific technologies to be used. GDPR rather holds the processor and controller of data accountable and obliges them to consider the risks related to data handled and adopt suitable security controls.

Although there is a lot to do to become GDPR compliant, it could be seen as a once-in-a-lifetime opportunity for organizations to look at data management and transform it according to best practices. Data volumes have exploded, and big data has become common. This may be an opportunity to introduce the right tools and processes and with GDPR a new fact of life, it may be easier to get executive support.

Big data platforms
With big data platforms such as Hadoop, existing data governance strategies can't always be used, creating serious issues. It requires a proper design and framework to sustain.

Hadoop and other big data plat-forms provide businesses with an extraordinary amount of information about customers and their behaviour, which can be leveraged to drive improvements in customer experiences. This does however make it difficult to understand which data is stored, where it comes from, and who is using it for what.

This presents big challenges as some of the information may be sensitive, e.g. names, addresses and account numbers. This information needs to be protected, especially with GDPR coming into being.

With big-data environments, data objects and details reside in multiple locations. Traditional data governance tools however only look at data after it has been structured, and for GDPR, this is not good enough as big data platforms enables users to en-gage in discovery before raw data has been modelled.

It is, however, possible to retain the discovery advantages of a big-data environment while still applying good data governance. To do this, a tool native to the ecosystem and built specifically to solve this problem must be used. For example, this limits truly native Hadoop governance options to Cloudera Navigator and Apache Atlas for respective distributions. There are other alternatives in the market which you can look into.

If you are not GDPR compliant yet, there is no time to waste. GDPR requires more robust and higher auditing and reporting structures so your organization can respond to any Data Protection Authorities and individuals who may have questions.