GDPR compliance challenges and solutions and how technology has benefited them

By Sue MacLure, Head of Data, PSONA Agency

Sue MacLure, Head of Data, PSONA Agency

Never have 4 letters struck terror into the hearts of CIOs since G,D, P &R. But do I mean terror? Or do I really mean an overwhelming attack of lethargy at the thought of all the documentation, process management, training and internal communications that need to be done for something that we thought we all had covered? It’s not like we weren’t looking after our data asset before, right?

Or at the very least, if we thought we weren’t looking after it well enough, we had a roadmap to get it right, safe, and well-structured, with the right access points and tools for internal use. And then along came GDPR, which whilst not a million miles away from the Data Protection Act in terms of principles and approach, did throw a couple of curve balls that made us revisit our data strategy.

Subject Access Requests and Right to be Forgotten.

Suddenly there was a need to actually know where everything was held and who was doing what with it at a granular level, not just a conceptual level. If someone asked for a copy of their data you had to show it all, and not just a description of what you do with it, but actually the data you hold.

To a lesser degree there was also preference management, which many of us already had a solution for, but there is a renewed focus on granularity, transparency and access to change them.

Quadient inspire and quadient data hub into a privacy compliance tool combines the data gathering, either through the creation of a new scv, or more simply through call outs

There are some great technologies out there that can help with this – without necessarily needing to fundamentally recreate your existing architecture.

A specific solution that caught my eye is a combination of a couple of tools – Quadient Inspire and Quadient Data hub into a Privacy Compliance tool. It combines the data gathering – either through the creation of a new SCV, or more simply through call outs to your systems that just centres on people’s names and addresses but not every single data element. This only requires the brand to map the relevant source names and addresses into a central hub and then it calls out the associated fields on an as and when basis when a request comes along. Once the match to all source systems has been established (and there are some very impressive name match scenarios that it picks up) it picks up the second tool – a means of displays that data in a document format. This document format can be templated to your choosing - with the ability to then serve it to the requestor’s in-box, letter box or phone depending on their preference. There’s also a workflow tool built in to make sure there are the relevant sign off procedures internally before handing out personal data to anyone who requests it.

This same technology could then be used to identify where data is residing if an individual has asked to be forgotten, whilst keeping a central reference library of appropriate identifiers to maintain the audit trail.

The other one I quite liked is MyLifeDigital’s Consentric. This is a tool that gives a front end to your preferences in a way that is incredibly granular and allows a customer to determine how they do, or do not, want you to use every single element of their data – including profiling (another little curve ball). It displays every legal basis for using data, the commercial rationale for doing so, should you so choose, and allows them to be switched on or off. In the background it keeps an audit trail for future reference to handle those tricky “why did you change my preferences” conversations.

We often come across technology solutions in search of a problem to solve. But for the first time in a while it feels like there really is a common problem that technology can solve.