The General Data Protection Regulation (GDPR), introduced by the European Union, took effect on May 25, 2018. With the introduction of the GDPR, organizations will be under intense scrutiny regarding how they use the personal data of customers, employees, and prospects. Non-compliance can lead to heavy fines, so it is imperative for organizations to understand the data that they collect and use it only in the manner approved by the data subject.
“Defining Acceptable Use Standards” is Step 6 in this plan.
Practical Steps to GDPR Compliance now.
GDPR’s Perspective on Data Use
The GDPR clearly articulates the basis on which personal data can be used. There is a definite shift from existing standards to create a tighter framework for organizations. Here, we discuss the two core tenets relevant for acceptable data use:
Lawfulness of Processing
Article 6 of the GDPR deals with the lawfulness of processing personal data. The article discusses specific situations in which processing personal data is allowed, such as:
- The data subject has given consent.
- Processing is necessary for the performance of a contract or legal obligation.
- Processing is necessary to protect the vital interests of the data subject or of another person.
To implement this, the data governance team must establish controls to ensure any new projects that require use of personal data get sign-off from legal and compliance during the design phase. There should also be a clear listing of what these situations are, specific to the organization.
For example, if an investment bank wants to process personal data for anti-money laundering (AML) obligations, it has to be established whether this is allowed or not. Such scenarios need to be explicitly drafted and signed off.
Conditions of Consent
As per Article 7, clause 1, of the GDPR, a controller must be able to demonstrate that the data subject has consented to the processing of his or her personal data. The idea is that data should only be used if the subject consented to it, and only in the manner in which the subject intended it for use.
For example, if the subject provided consent to receive email campaigns, but not phone calls, this partial consent has to be recorded, and data used only for email campaigns.
GDPR recommends that the data governance team work with IT, legal, and compliance to establish an enterprise consent repository. This repository has to be a single inventory of all consents including those for email campaigns, cookies, and phone contacts.
Record of Processing Activities
As per Article 30, each controller shall maintain a record of processing activities under its responsibility. It should list each and every personal data processing activity together with:
- Its purpose
- Who is accountable
- A description of the categories of data subjects involved and of the categories of personal data
- The categories of recipients to whom the personal data have been or will be disclosed
- Information about potential transfers of personal data to a non european country
- Their retention time
- A description of the security measures for that data
How to Use Talend to Define Acceptable Data Use
Talend Master Data Manager (MDM), Talend Big Data, and Talend Data Quality support the creation of a GDPR data lake, where all information related to a data subject, including personal data and consents, are brought together. In the big data era, where consents can be registered in multiple sources, this data lake helps reclaim data from various sources and reconcile them.
Figure 1 shows how a Talend job reclaims opt-in data from a third party marketing system and uses Talend MDM to publish this consent information across all applications that require them. The job also leverages Talend Data Quality to reconcile data between the outsourced system and the centrally managed GDPR catalog.
Figure 1: A Talend job combines data quality, data stewardship, and big data integration in a unified, visual environment to collect, standardize, reconcile, certify, protect, and propagate personal data.
This graphical representation of a data pipeline is fully automated and can be operated in collaboration with business teams. For example, business users can participate in the definition of data controls using Data Preparation and/or in the data certification and curation process (e.g., resolving duplicates) using Talend Data Stewardship.
Talend Metadata Manager can also act as a catalog of acceptable use standards for personal data elements. For example, if a new value, such as “halal” for the attribute “meal preferences,” is being brought into the big data environment, Talend workflows can be used to obtain legal sign-offs because this field may potentially be used to determine the religious affiliation of a data subject—something that is expressly governed by Article 9 of the GDPR.
Talend MDM maintains a log of master data updates including opt-ins. In Figure 2, the log shows that consent was added to customer “Pierre Flores” on June 14, while a deeper dive into this record will provide full record lineage, demonstrating that the website was the application that collected the opt-in.
Figure 2: Talend MDM provides record level lineage, thereby providing an audit trail for opt-ins and any other data related to a data subject.
Next Steps to GDPR Compliance
Defining acceptable use standards is at the core of what the GDPR is all about—the way personal data is processed. Talend’s tools simplify this process considerably by providing automation mechanisms to understand, store, and interpret the data landscape.
The next step of the 16-step plan put together by Talend to operationalize a data governance framework for GDPR compliance is data masking. Data masking deals with techniques such as anonymization and pseudonymization to protect data.
To see all the 16 steps together, don’t miss the on-demand webinar, Practical Steps to GDPR Compliance. The video covers information on creating a data taxonomy, identifying data owners, identifying critical data elements, establishing collection standards, and more.