It has been a year since the EU’s General Data Protection Regulation (GDPR) came into force. Although it’s still in its infancy, GDPR is already a big consideration for organizations as they address the issues of data privacy, secure data access, and how they gather and use customer data.
As a means of harmonizing data privacy laws across Europe and protecting customers’ personally identifiable information (PII), GDPR has shown that it has really got teeth. On its first day in force, complaints against Google were filed in France. By January this year, CNIL, the French national data protection commission, fined Google €50 million for a lack of transparency, inadequate information and lack of valid consent regarding the personalization of their advertising, and for not having a sound legal basis to process the personal data of its services’ users.
And there’s a real hunger for GDPR to work. According to the UK Information Commissioner’s Office, there has been a significant increase in reports of data breaches. And the European Data Protection Board (EDPB) confirmed that, in the first nine months of GDPR, over 200,000 breaches have been reported by supervisory authorities in the 31 countries in the European Economic Area.
So, GDPR isn’t an unwieldy piece of bureaucracy, as some may have feared. It’s having an effect as it turns a spotlight on to organizations’ data governance, and it’s setting new standards of due diligence and regulatory compliance. The challenge for organizations is to meet these standards and to ensure that the latest tools and methods for handling and analyzing data do not breach GDPR.
This being the case, how does GDPR affect data security when embedding analytics?
Jurisdiction across borders
An important consideration is that GDPR isn’t just a European issue, although it’s EU legislation. It applies to organizations located both within and outside the European Union — wherever they’re located — if they hold or process data, monitor the behavior of subjects from the EU and offer them goods or services.
Don’t think that because you’re based in the Americas, Asia, Africa, or Oceania, GDPR doesn’t affect you. If you’ve got European contacts or customers in your database, then it applies to you.
While the case against Google was European (action initiated by French authorities against an organization with European headquarters in Ireland), it demonstrates the far-reaching nature of GDPR and its jurisdiction across borders.
So, organizations throughout the world need to check how they’re using their customers’ data and their embedded analytics to understand and reach out to customers and prospects.
GDPR demands that all organizations apply strict governance, security, and compliance policies when they embed analytics and store data. Failure to do so could prove to be costly.
Privacy and rights
GDPR’s raison d’être is to protect customers’ privacy, minimize intrusion, reduce fraud and identity theft, and control their digital footprint. So, security features, policies, and procedures should be built into your embedded analytics platform to help guarantee privacy and protect personal data. These revolve around a set of rights that are enshrined in GDPR, as follows:
- Right to Consent — Your platform must allow prospects and customers to give or withhold their consent for you to collect, store, use and share their data. It must record the consent and the reason for storing the data, the source (such as an online form), and when and who updated it.
- Right to Data Protection — You must be able to control access to customer and contact data in order to safeguard it from third parties and any unauthorized attempts to view, retrieve, or alter it.
- Right to View Personal Data — You must disclose what data you have about contacts, prospects, and customers when they request it. Detailed and accurate records are therefore essential.
- Right to Data Portability — Contacts, prospects, and customers have the right to retrieve all the data you have collected about them and take it elsewhere. So, for instance, should a Telco customer wish to transfer to a different service provider, they can demand that all their data be retrieved, sent to the new supplier, and removed from your database.
- Right to Be Forgotten — If contacts, prospects, and customers wish to unsubscribe, cease business with you, and stop any communication with your organization, their request must be respected. Their data must be erased from your database. You need the capability to respond swiftly to such requests.
To achieve this requires flexible but robust data management faculties that enable you to confidently secure, control, and manage the data that your embedded analytics generates and stores.
Safeguarding, management and controlling data: a question of access
Embedded analytics increases the volume of data about your business and your customers that you have at your fingertips. You must have the capability to identify, define, and categorize this data as it grows, to ensure that breaches don’t occur. This involves giving both your team and your customers the right access to the right data, and nothing more. And your embedded analytics should include the comprehensive safeguards at the following levels as you scale up:
System / role level
You need the capability to manage data access based on users’ and groups’ roles, including customers: who can view dashboards, who can create and edit them, and who are the administrators. This should extend to assigning access rights to different servers for individual users, groups, etc. via connection to active directory, single sign-on (SSO), and the security REST API.
As part of managing data at this level, it’s important to leverage the active directory to manage deployment times. Apply standardized authentication policies with SSO. And with the REST API, automate and customize system security settings and restrict access based on GDPR’s rules and standards. Furthermore, data disk and system encryption should be in place. Tracking and monitoring capabilities must be able to conceal personal identifiers and should be able to get switched off at any time.
Together with controlling who has access, you must control what they have access to, so they see only what’s intended for them, and what GDPR allows. So, you need to ensure you have a clear understanding of GDPR guidelines in order to define what information is acceptable to be included in data models and dashboards, what can be stored, and what can be shared.
Data-level takes this a stage further by enabling you to provide varying levels of data visibility to different individuals or groups so that they can do their work without contravening any rules. This more granular level of control means that individuals will only see and share information that’s applicable to them and legally acceptable, from the same data set or dashboard.
Ensure that your embedded analytics platform follows industry security best practices, such as SDLC, DREAD and OWASP methodologies, and that it is tested regularly.
It’s good news . . . really
At first glance, it seems as though GDPR is burdening you with increased responsibility for handling your customers’ data and ensuring secure data access. While that’s true, it’s not a bad thing, because it forces you to examine and manage your data more closely and respond to customer requirements more precisely. No customer likes to be spammed with unwanted information, and no organization wants to bug its customers with irrelevant communication, so the combination of this legislation and great BI and analytics means you can avoid this. You’ll be more responsive to your contacts’ preferences. You’re more likely to send them better communications and more laser-targeted marketing campaigns based on their preferences. You might need to work a bit harder to do this, but the results should be worth it.