12 Months to GDPR: The Year of Metadata
The General Data Protection Regulation (GDPR) is a bit like Brexit for some people: you secretly hoped the day was never going to arrive, but GDPR is coming and there will be major penalties if companies don’t have a strategy for how to address it.
A year from now, on 25 May 2018, GDPR will go into effect. That means all businesses and organisations that handle EU customer, citizen or employee data, must comply with the guidelines imposed by GDPR. It forces organizations to implement appropriate technical and organizational measures that ensure data privacy and usage is no longer an after-thought. GDPR applies to your organization, regardless of the country in which it’s based if it does any processing of personal data from European citizens or residents. So, depending on how your organization manages personal data on behalf of its customers, such as “opt-in” clauses, GDPR could become your worst nightmare in the coming year if you aren’t properly prepared.
At Talend we talk about a lot about digital transformation, being data-driven, data being the new oil, and any other turn of phrase you might consider, but for a moment spare a thought for metadata. Metadata is your friend when it comes to addressing the many requirements stipulated by GDPR. Of course, metadata has been in the news for different reasons in the recent past BUT I reiterate it is critical to solving GDPR.
The regulation applies if the data controller (organisation that collects data from EU residents) or processor (organisation that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU 
Does GDPR apply to your company?
If the answer is ‘yes’ to any of the following questions, then GDPR should be a high priority for your company:
- • Do you store or process information about EU customer, citizens or employees?
- • Do you provide a service to the EU or persons based there?
- • Do you have an “establishment” in the EU, regardless of whether or not your store data in the EU?
Where to begin when addressing GDPR for your customers
First, you need to understand the rights that your customers have in regards to their personal data. When it comes to GDPR there are many regulations around personal data privacy.
For example, perhaps you implement the following GDPR data privacy guidelines in your systems:
- • Customer has the right to be forgotten
- • Customer has the right to data portability across service providers
- • Customer has the right to accountability and redress
- • Customer has the right to request proof that they opted in
- • Customer is entitled to rectification of errors
- • Customer has the right of explanation for automated decision-making that relates to their profile
In a world where customer data is ‘king’, being captured by the terabyte, you need a controlled way to collect, reconcile, and recall data from multiple, disparate sources in order to truly comply with GDPR regulations. It should be stated that GDPR impacts all lines of business, not just marketing, so a holistic approach is fundamentally required in order to be compliant with the regulations. That’s where metadata comes in.
The Value of Metadata
In order to have a complete view of all the data you have about a person, you need to have access to the associated metadata.
Metadata sets the foundation for compliance as it brings clarity to your information supply chain, for example:
- • Where does data come from?
- • Who captures or processes it?
- • Who publishes or consumes it?
This critical information is the backbone to establishing a data governance practice capable of addressing GDPR. Your organization needs to define the policies, such as anonymization, ownership, data privacy, throughout your organizations, including an audit trial for proof of evidence should an auditor arrive at your door.
Stephen Cobb of welivesecurity.com just published a great article on GDPR where he compiles the following list that highlights the key implications of the forthcoming GDPR regulations —including financial consequences and costs. I strongly recommended reading the article in full.
Top 11 Things GDPR Does
- Increases an individual’s expectation of data privacy and the organization’s obligation to follow established cybersecurity practices.
- Establishes hefty fines for non-compliance. An egregious violation of GDPR, such as poor data security leading to public exposure of sensitive personal information, could result in a fine of millions or even billions of dollars (there are two tiers of violations and the higher tier is subject to fines of over 20 million euros or 4% of the company’s net income).
- Imposes detailed and demanding breach notification requirements. Both the authorities and affected customers need to be notified “without undue delay and, where feasible, not later than 72 hours after having become aware of [the breach]”. Affected companies in America that are accustomed to US state data breach reporting may need to adjust their breach notification policies and procedures to avoid violating GDPR.
- Requires many organizations to appoint a data protection officer (DPO). You will need to designate a DPO if your core activities, as either a data controller or data processor, involve “regular and systematic monitoring of data subjects on a large scale.” For firms who already have a chief privacy officer (CPO), making that person the DPO would make sense, but if there is no CPO or similar position in the organization, then a DPO role will need to be created.
- Tightens the definition of consent. Data subjects must confirm their consent to your use of their personal data through a freely given, specific, informed, and unambiguous statement or a clear affirmative action. In other words: silence, pre-ticked boxes, or inactivity no longer constitute consent.
- Takes a broad view of what constitutes personal data, potentially encompassing cookies, IP addresses, and other tracking data.
- Codifies a right to be forgotten so individuals can ask your organization to delete their personal data. Organizations that do not yet have a process for accommodating such requests will need to establish one.
- Gives data subjects the right to receive data in a common format and ask that their data be transferred to another controller. Organizations that do not yet have a process for accommodating such requests will need to establish one.
- Makes it clear that data controllers are liable for the actions of the data processors they choose. (The controller-processor relationship should be governed by a contract that details the type of data involved, its purpose, use, retention, disposal, and protective security measures. For US companies, think Covered Entities and Business Associates under HIPAA.)
- Increases parental consent requirements for children under 16.
- Enshrines “privacy-by-design” as a required standard practice for all activities involving protected personal data. For example, in the area of app development, GDPR implies that “security and privacy experts should sit with the marketing team to build the business requirements and development plan for any new app to make sure it complies with the new regulation”.
But there is much more…
All of the above points are noteworthy, but as a parent of three children, #10 is worth a special callout. If organizations are gathering data from underage people, they must have systems in place to verify ages and gain consent from guardians.
Article 8 of the GDPR requires that companies:
- • Identify who is, or is not, a child
- • Identify who the parents or guardians of those children are.
So as you see, GDPR puts an enormous onus on any organization that collects, processes and stores personal data for EU citizens. I’ve got feeling that 2018 will be the year metadata becomes even more important than we ever previously considered. For more on metadata management, see how Air France-KLM is using Talend Metadata Management to implement data governance with data stewards and data owners to document data and processes.