The May 25, 2018 deadline for General Data Protection Regulation (GDPR) may have come and gone, but the compliance journey is only just beginning as firms review systems built to get them over the line and plan more robust and sustainable solutions that can support a cost-efficient response to data subject access requests and accommodate regulatory change over the long term.
The outstanding data management issues of GDPR and the potential of a Quick Start solution for firms within the scope of the regulation were discussed during an A-Team Group webinar this week. The webinar was moderated by Sarah Underwood, editor of A-Team’s Data Management Review and joined by Hany Choueiri, GDPR consultant at AON; Craig Taylor, an independent consultant and former GDPR programme manager; Jennifer Shorten, technical delivery architect, EMEA, at MarkLogic; and Chris Atkinson, solutions architect, EMEA, at MarkLogic.
The webinar opened with an audience poll that set the scene on compliance levels in capital markets. Some 39% of respondents said they were somewhat compliant with GDPR on the compliance deadline, 26% were completely compliant, 22% were close to compliance, 9% could show intent, and 4% were not at all compliant.
Noting a predominantly positive response to the poll question, Choueiri said: “GDPR has not been a tick box exercise for most financial services firms. It has been hard work and has put data privacy at the heart of organisations. It is also a journey, with firms having ongoing compliance plans through 2018 and beyond.”
A second audience poll asked the webinar audience which are the toughest, ongoing GDPR data management challenges. Getting consent to use personal data topped the poll results with 52% of respondents citing it as a challenge. Some 48% cited identifying personal data, 44% providing access to personal data, 37% storing personal data, and 33% keeping personal data up to date. Reflecting on the poll results, Taylor commented: “It’s difficult to get visibility of all data subjects across all systems. The right to be forgotten is also a challenge and asks open questions on how far firms must go to comply. Must data be deleted, or could it be marked as not to be used?”
Considering GDPR solutions, Atkinson noted the need for a client centric view of personal data coupled to strong data governance. Shorten noted that if firms run data governance across systems rather than focussing on data subjects, there is a chance that they won’t be compliant.
Atkinson went on to describe MarkLogic’s GDPR Quick Start solution that supports compliance, delivers a 360-degree view of clients and can be up and running in four weeks. He explained: “Large and small firms typically aggregate data across multiple systems. Quick Start adds a layer of consent management on top of the aggregated data and uses event management techniques to maintain a composite record of consent across systems. This provides a 360 view of clients.” Among other features, the solution includes white, grey and black lists of data identifying what personal data can and cannot be used based on data subjects’ consents.
On the opportunities beyond GDPR compliance of a 360 view of clients, Shorten commented: “The client data can be anonymised and used for purposes such as gaining business insight.” Summing up GDPR requirements and offering some final advice to data practitioners working on the regulation, she concluded: “Know where personal data is, not just where it might be, and find a solution that supports data mapping. The winners will be firms that can comply with GDPR and maintain the agility needed to innovate, change and grow.”