[GDPR Step 13] How to Manage End-User Computing

The General Data Protection Regulation (GDPR), introduced by the European Union (EU), took effect on May 25, 2018. The regulation is not only applicable to personal data used in core IT systems, but also in end-user computing applications, which are often natively developed standalone tools.

We recently hosted an on-demand webinar, Practical Steps to GDPR Compliance, that focuses on a comprehensive 16-step plan to operationalize a data governance program that supports GDPR compliance.

Managing end-user computing is Step 13 in this plan. To learn more about the first twelve steps, check out the list in the sidebar.

GDPR’s Impact on End-User Computing Applications

End user computing (EUC) is when business users create their own ad hoc applications to address specific requirements. As these users are usually not core programmers, EUC applications could be scripts or a visual interface that edits code.

Organizations use a significant volume of EUC applications in the form of spreadsheets and databases that may be stored on desktops or in cloud-based repositories. For example, it is common for users to have standalone spreadsheets that generate reports and calculate metrics.

Article 32 of the GDPR addresses the security of the processing of personal data. This requirement for data protection applies to end-user computing applications as well.

EUC applications are typically outside the control of IT and may contain sensitive personal data. They are often prone to vulnerabilities, as they are not regulated like IT systems. Hence, they require focus from data governance to avoid reputation loss and huge fines for the company.

Managing EUC apps also assumes importance from the context of providing data subjects “the right to be forgotten,” as mentioned in Article 17 of the GDPR. Organizations cannot have leftover data lying in these unmonitored applications if a user opts to be deleted from the systems.

How to Manage End-User Computing Applications: 5 Key Steps

Most organizations fail to recognize that EUC apps fall under the purview of data governance. However, with the GDPR, any organization that deals with EU data has to take note of such apps and act immediately to ensure compliance.

Here are a few steps to managing EUC applications:

1. Draft policies — Data governance, along with legal and compliance, needs to draft policies that include these apps under data protection standards. They should also recommend that EUC apps not contain sensitive personal data in the future.
2. Take stock — EUC application management is challenging because most of these apps are standalone and often hidden. Compliance teams may not even know that such apps exist. Data governance needs to create an inventory of these apps to enforce data protection.
3. Analyze data — After EUC apps are identified, it is important to analyze data to see if there is any sensitive information in use. For example, using special categories such as race, age, etc., are direct violations of the GDPR. Appropriate remediation needs to be taken.
4. Establish data protection standards — After identifying the EUC apps and understanding the manner in which they use data, organizations need to establish data protection mechanisms, such as masking fields to conceal identity, when required.
5. Bring EUC to IT — The long-term goal for organizations should be to avoid using standalone EUC apps, and eventually bring them under the IT head so better monitoring and support is available.

Using Talend to Managing End-User Computing Applications

Talend tools offer two ways to reclaim control over end-user computing:

1. Alternative Solution for EUC

The first solution for reclaiming control is to provide a better option than office automation tools for those who work with personal data. Approximately twelve percent of employees in an organization engage in self-service data preparation using various spreadsheets, with operations and forecasting as their most frequent use case (49%).

Talend Data Preparation provides a more effective approach to data preparation for business users, including those that involve personal data. It tracks and traces related activities by automatically capturing personally identifiable information (PII) attributes within a data source, together with the actions taken on them by business users (Figure 1).

Figure 1: Talend Data Preparation provides better self-service options than Microsoft Excel and other office applications for data preparation and for the capture of business user activities for safer control and reuse.

2. Data Protection within EUC

The second approach to reclaiming control over end-user computing is to capture personal data from post-collection, free-form text, and then take appropriate actions, such as categorizing or masking.

Talend Data Quality uses machine learning capabilities—in the form of natural language processing—to extract and tag potential personal data from free-form text within a document (e.g., email, Microsoft Word, or PDF), an application (e.g., Salesforce, Zendesk, or Service Now), or user-generated content within a web or mobile application (e.g., social media or a discussion forum). This allows references to personal data in free-form text to be automatically tagged and processed, which means the whole process can scale up to meet real-time, big data processing needs.

Next Steps to Managing End-User Computing

EUC applications usually tend to fall off organizations’ radar as a priority because of their low visibility. However, these can no longer be ignored with the introduction of the GDPR. This means that companies need to either choose between conversion to another automation system, or manage data protection within an EUC app. In both cases, Talend tools can be of assistance.

The next step of Talend’s comprehensive 16-step plan to achieve GDPR compliance is governing the lifecycle of information.

← Step 12  |  Step 14 →