GDPR: A practical approach to Data Preparation; Paul Malyon - Experian

Editor's Notes

• #2: Information Notice: The information and opinions in this presentation are for general information purposes only and not provided as part of any contract or service. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. It is for each organisation to take its own decisions and its own advice on GDPR and regulatory compliance more generally.
• #3: This presentation highlights the basics about GDPR, attitudes of consumers and businesses and explains a methodology for prioritising and delivering contact data fit for GDPR. Information Notice: The information and opinions in this presentation are for general information purposes only and not provided as part of any contract or service. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. It is for each organisation to take its own decisions and its own advice on GDPR and regulatory compliance more generally.
• #4: So while there is a lot in the GDPR that is familiar, that organisations are already doing, and that may even just need them to think about how best to document what they’re already doing, there are some challenges that will impact all organisations. These are worth considering as soon as possible. 4 of the fundamental rights are all about access. Whether it be a formal SAR, portability request, error correction or deletion; people now have the right to much more access to their own data. Our research reflects an alignment in consumer attitudes with the requirements of GDPR – about 60% of people we spoke to expect to have access to a preference centre at the very least with the same number showing favourability to a personal information management service (or data locker). This could be a useful emerging trend in the coming years – especially where moving data from one controller to another is important. It’s clear though that organisations will need to consider how to make access to an individual’s data easier (whilst keeping it secure). It could even be a business differentiator in the years to come. Organisations need to be much more transparent (it’s one of the Principles). What data do you hold on me? Can I update it myself? Which bits of that data are used for what purpose? What can I demand be transferred to a new controller? How does your automated decision making work and who do I contact for human intervention? For industries such as insurance, this is particularly complex, reflecting all of the organisations that are involved in a policy. For all organisations in every industry, it’s worth considering what data you hold, which of those elements you are the controller for, how the individual can access it and of course what your policies are around portability, erasure and retention. Consideration should also be given to Data Minimisation. In the age of “Big Data” it’s easy to think that more is better. However, with GDPR, consideration should be given to whether more is really better or whether it just means greater risk. If data is not critical to a defined outcome or if the use case of that data cannot be clearly explained to the individual, is collecting and holding that data worthwhile? For example, does gender make a difference when delivering groceries? Are both home and mobile phone numbers needed if you only send email and SMS service messages? GDPR preparation is a good opportunity to look at how data can be minimised – we’ll talk more about how to do this later. Finally, GDPR brings up a number of process challenges around all of this. Can you respond to a SAR in one month? What about an erasure or rectification request? Can you be certain that deleting or changing data in one system will flow down to your other systems (as well as your data processor partners) within the allotted time? We’ll talk more about how a Single Customer View can assist with this later. Also, do you have a DPO in place to help manage all of this change and ensure that you practise Privacy by Design on an on-going basis? Do they have the tools they need to highlight risks to the board?
• #6: In 2016 32% of consumers regularly received duplicate marketing messages this has risen to 35% in 2017. Thinking about this from a GDPR standpoint – making use of inaccurate data could make individuals question how effectively the organisation is managing their data. Could this lead to an increased volume of SARs or complaints? Could the increase be down to a nervousness around using reference data in the new GDPR world? In 2016 69.7% of consumers expected their personal details to be right all the time. This has increased to 71.5%. While not a huge change, it’s moving in an expected direction as more consumers become knowledgeable about data. In 2016 57% of consumers believed that it was up to them to tell companies of a change in that data. This year, that has fallen to 48%. On the flip side, we’ve seen a change from 9% to 15% in the consumers expecting organisations to know or find out about these changes themselves. From a GDPR standpoint, consumers must be given the ability to update their data easily. Although, with a changing level of expectation, could organisations do more to give consumers a helping hand? However, only 2% want companies to share those changes – making for a lot of hard work on the part of the consumer if they move house. Again, what can organisations do to help consumers keep their data up to date? Suppression and other reference sources would be a good step to take alongside improvements to personal data access (e.g. a website preference centre). Adding to this sense of consumer burden, we see that in 2017 38% of consumers want to be reminded to update their data on a regular basis (down from 43%) whilst the % wanting the opportunity to update every time they use a service has actually gone up from 29% to 33%. It’s going to be interesting to look at these numbers again in a year once consumers have been asked to update their details in preparation for GDPR by lots of the sites they use. Could it be another case of Cookie warning fatigue? In 2016 61% would have considered a personal info management service (or data locker) if it were available. In 2017, we’ve looked in more detail at the kinds of services that consumers want to use to assure their identity (these are already popular with banking apps). Looking at those who said they were very or quite likely to use a service, we can see that the most popular (in order) are Secure key, digital ID and text verification. However, 45% are still happy to enter their details manually each time. The least popular (with 24% very unlikely to use it) was social ID – what’s causing this? It’s clear that this kind of service is increasing in popularity beyond financial services with many personal data apps using some form of two factor authentication to help us secure our data. It’s likely that the use and popularity of this form of data security will increase in years to come – whether we’re using general data lockers or not. To add a sense of caution to this though, in 2016 only 40% were drawn to the idea of a full on, one stop shop for storing and updating their personal data – this could be because the ideas behind these are often linked to Government holding all your data (a particularly troublesome subject in the UK).
• #7: 99% (v 96% in 2016) of organisations know GDPR is coming (although nearly 4% of the 99% are still ‘not very’ aware). In 2016 7% thought they were prepared, doubling to 15% this year – this still leaves plenty of work to do but over 50% are now somewhat prepared and only 1.9% are not at all prepared (down from 8% last year). Data driven processes are slow to change but are businesses leaving it too late? It’s really important for organisation to begin to understand where they are on their GDPR journey and prioritise what could be a large amount of work. This is something that the methodology that follows can assist with. There has been a huge swing in the number of businesses that are merely reactive to SARs. Down to 13% from 38% - this is a very positive indicator to how organisations will deal with GDPR. With the volume of SARs likely to increase, enabling self service or semi-automated processes will help reduce the burden. However, with an apparent decrease in the number of organisations enabling full customer access & amendment (13% to 5%) there could be a reason to question this level of preparedness. One important thing to consider with SARs, erasure and portability will be ensuring that all data on the individual can be discovered and processed quickly – we’ll come onto this in more detail later (SCV). Of concern is the fact that only 11% (down from 18%) have company wide data KPIs (only 11%, down from 29% have a function level one). Without this KPI in place, could some organisations be suffering from poor DQ and not even know it? How do they quantify the level of the issues without good measures? Are they missing an important part of their evidence base for Privacy by Design? We’ll look at how Experian Pandora can help later in this deck. Of even more concern is the falling use of suppression services (down from 53% to 32%). If organisations are not flagging mortalities and goneaways are they creating unnecessary risk for their customers and brand? Could sending marketing materials to a bereaved family or to the wrong address increase SAR volumes? Does this also increase the risk of identity fraud? Organisations need to practise Privacy by Design – suppression forms an important part of that. Slightly more encouraging though is the increase in use of real time data preparation services from 20% to 24%.
• #8: As you saw earlier, the research with Data IQ indicated that only 7% thought they were ready for GDPR in 2016, rising to 15% in 2017. It’s clear that many organisations are still working on it – some may not have started yet. If you are just at the start, you’re probably thinking about some of these points. From conversations I’ve been having with my clients, it’s clear that whilst the changes needed to Privacy Policies and business processes are well understood, many organisations are struggling to quantify the amount of work required on their personal data. If organisations don’t have a baseline understanding of their data, how can they quantify the risks and prioritise the work? These questions are a good way to test your approach to ensure that business processes as well as data processes are being considered. We’ll look into how to answer these questions shortly.
• #9: If you’ve already started your GDPR program, it’s important not to forget the data. Much of the work done so far may have focussed on Privacy Policies and Contracts – which is really important – but what I believe is crucial is to focus on the data itself and how it can impact the wider business goals (not just GDPR). If the GDPR program is being run as an IT exercise only or a Legal exercise only, is this posing a risk to the wider business? Have assumptions been made that the data is ‘good enough’ or that process and policy changes will be enough to handle an increase in SARs? Have the actual business users had a say about what they feel are the risks posed by GDPR? Have you checked that nothing in your data has fundamentally changes since you started on GDPR? What I’ll be running through for the rest of this session is a methodology that I believe can be as useful to those already making progress as it is to organisations just starting work on GDPR.
• #10: If we now start thinking about the data management processes involved in these key GDPR areas, it’s easy to become overwhelmed. Where do you start? How do you quantify and prioritise risks and tasks? How do you move from planning through implementation to BAU? Let’s start thinking about Investigate, Assess, Improve, Control.
• #11: Understanding what data you have & where it is may sound simple but for many organisations, the level of detail they need requires the kind of time & resources that may simply be unavailable or locked up in their IT / Analytics teams. This can lead to delays and disconnects between what the business need and what IT are able to deliver. For example, do you have a CRM database, billing database, supplier, marketing and loyalty database? Are they linked together with a single customer view? Does one database contain a master list of unique account identifiers? Are these really unique? Are the email addresses used in fulfilment usable? Can you track marketing consent to the date it was given? Many organisations may make assumptions that their data is fit for purpose so may fail to identify potential risks in their GDPR program. A Landscape Analysis (reviewing the entire business process with a focus on personal data) is a great way to begin to challenge assumptions and prioritise areas of focus. Our Data Healthcheck service (using Experian Pandora) can be used as part of this wider ‘Investigate’ phase to discover what form personal data takes and how complete or accurate it is. The appendix of this deck contains an example of a GDPR Healthcheck. Experian work with a number of partners to deliver the Healthcheck as part of a wider GDPR preparation service – with this initial phase usually delivering a Landscape Analysis (the Healthcheck can also be delivered independently if the organisation already knows which databases to look at and has a good understanding of how personal data flows through their processes and systems). An example Healthcheck is also included in the appendix.
• #12: Once an organisation knows what personal data it holds, where that data is, what form it takes, how accurate, complete and unique it is and how it flows around the organisation to fulfil defined business processes; they can begin to ‘Assess’ the risks and priorities that GDPR brings up. This often takes the form of a Data Relevance & Justification workshop (or similar set of interviews conducted over time). This workshop brings together a range of stakeholders that represent every department and every process that collects, uses or stores personal data. For example, someone from the Marketing team who manages the selections for campaigns alongside someone from Customer Support who handles returns or complaints and so on. The basic premise of the workshop is to run through every element of personal data held by the organisation and justify the continued collection, storage and use of that data through a scoring matrix and justification statements. Clearly, having people who understand the business process and permissions involved is an advantage at this time. The workshop or interviews should produce a Data Relevance Matrix with each field scored from high importance to low importance by each team based upon whether that field is truly critical to the business outcome for which they are responsible. The Justification statement accompanies each grade. An example of a matrix is in the appendix. The matrix can then be used to prioritise data – those fields that are critical to many teams should be carefully assessed for quality, permissions etc; whilst those fields not required by any team can be looked at as a good opportunity to minimise data collection, storage and processing; thus reducing risk. The matrix should be treated as a living document – updated each time a new purpose is requested or a new system introduced. It can form part of Privacy Impact Assessments.
• #13: Once an organisation has been able to assess the volume & quality of data that they have, understood which elements of data are business-critical and prioritised the management of that data, the previous healthcheck work can be used to begin to improve that data. Using a range of software and reference data, Experian Data Quality will help organisations tackle priority data issues, flag potential errors and ensure that contact data is fit for purpose. This can clearly support the GDPR principle of holding accurate data – either by directly correcting errors or flagging potential errors to be checked with the individual. Wider business benefits can be found from this process and, as we shall see, the clean data is a major part of what comes next. Beyond this, the same process can be automated to improve and protect critical data over time.
• #14: By ensuring that contact data around the organisation is of a high quality, it becomes easier to produce a Single Customer View. The business benefits of SCV are well known – GPDR simply adds even more reasons to take this data management strategy forward. A SCV can be delivered in a variety of ways but the outcome is the same – uniquely identify the individual across multiple data stores or multiple records within a data store. Key considerations from GDPR include: Data Accuracy: If you update data in one database, will those updates flow to other databases? If not, what risks are created? SAR & Data Access: Can an individual access all of their data? What if one data store is unavailable or the record can’t be found in the case of a SAR? Multiple identities: How do you deal with an individual who may be a customer and a supplier? Your B2C and B2B databases need to correctly identify this person. Erasure: Can you be certain that all versions of an individual are erased? Portability: Can you be certain that all of the relevant data for the individual is available to be ported to a new controller? Experian can assist with SCV using Pandora, the ExPin unique identifier and other tools as part of GDPR preparation or more general data management projects.
• #15: Preparing data for GDPR is clearly important. However, GDPR does not ‘end’ in May 2018. Ensuring that the hard work of understanding and improving data is not wasted will be just as important. Most organisations have multiple places where data can come into their databases such as the call centre, website, stores, partners, in real-time or bulk. How do you stop poor data from entering, and degrading your clean database? By implementing a “Data Quality Firewall”, your organisation can stop bad data from entering your systems. This firewall could be a number of things, some of the most common checks you may wish to adopt as part of your data capture strategy are: Validating key contact information such as address, mobile phone number and email address to ensure it is usable/accurate and that the customer can be reached ID & Fraud checks to ensure the individual is who they say they are Duplicate check against your current database to see if they already exist (maintaining your SCV)
• #16: GDPR requires organisations to be able to demonstrate that they are honouring the Rights, practising the Principles and following a Privacy by Design approach. As part of this, the organisation may wish to consider data KPIs (as seen in the earlier research, organisations are beginning to move in this direction) to act as part of their evidence base and their day to day data protection activities. Following work to implement a strong, data quality-led strategy; Experian Pandora can be used to ‘codify’ the data relevance matrix and produce the Data KPIs that could be a key indicator that data quality plans are working or that particular areas of data require more focus. For example, monthly reports could show that email validity is falling – this could be an early indication that a new data input point is not being validated correctly. Or an alert could be triggered if unique ID’s were found not to be unique. This on-going understanding of data could prove invaluable not just for GDPR but for putting your data to work – identifying opportunities to help customers or citizens or making things easier for your people by building the business case for better data quality.
• #17: To conclude, GDPR is clearly going to require change and careful planning. It also offers a fantastic opportunity to reshape how an organisation thinks about personal data and its customers. The benefits are not just regulatory but could also greatly improve the level of trust that customers have in a brand. However, time is now short. Prioritising the key areas to focus on will enable organisations to eliminate risk in a well managed, strategic approach. The methodology shown in this presentation takes a data-centric approach and should form part of a wider review of Policies, Processes & Systems that can impact personal data. Failing to act will not just risk the trust of customers but could lead to serious reputational and financial implications. Remember, it’s no longer enough to simply avoid a data breach – organisations must practise Privacy by Design and be able to demonstrate the care they take with personal information.
• #18: Information Notice: The information and opinions in this presentation are for general information purposes only and not provided as part of any contract or service. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. It is for each organisation to take its own decisions and its own advice on GDPR and regulatory compliance more generally.