GDPR: Who Will the Winners Be?

GDPR: An unrivaled opportunity to revolutionise data management. GDPR is set to rebalance the ‘datasphere’ to place the individual, rather than the business, at its centre. While not in place yet, the legislation has already rocked the business world, and it is likely that most businesses will not be fully compliant by May, when it will come into force.

The new legislation has three main strands that will affect how personal data – that is any data that can be used to identify a person – is stored and used.

  1. GDPR will require businesses to supply customers or users with any personal data they store: The business must make it available for immediate download ‘where possible’, or at the very least ‘without undue delay’. The maximum time to respond for a company is a month.
  2. GDPR will give an individual the right to be forgotten: the company must be able to delete the data on request as well.
  3. GDPR will require companies to have explicit permission to use a person’s data: The individual must have opted in (ticked a box) having been given information in plain English about how their data will be used.

Has your data been used without your permission?

The threat of large penalties for non-compliant companies has made GDPR a potential new PPI, with hopeful cold callers and law firms looking to cash in. However, if we flip the situation on its head, the new legislation is an opportunity for companies to revolutionise their data management. The action every business should consider is to set their data free and allow it to be viewed or accessed by customers through a web portal or API.

The approach would also not be unprecedented as a response to legal transparency requirements.

 Camden Open Data

Long before GDPR, the Freedom of Information Act has required public authorities to respond to requests for information, including data, within 20 days. This gives public authorities even less time than the month allotted to businesses by GDPR.

While this 20 day period seems plenty of time for an authority to respond, there is no way to predict what data will be requested. The result of this is a system where civil servants in the relevant department of a local authority must respond reactively to requests when they arise. The time taken to get this data must be absorbed by the person responsible.

Camden’s Open Data scheme has effectively turned the scales for the local authority. Any data that it is required to provide for transparency is available through an open portal (or, if preferred, an API) linked to internal databases. This alone saves time required to manually upload this data each quarter or year.

Beyond this, various other data – from parking fines to a dataset containing every publicly managed tree in the borough – is available for anyone to look at and download. This data is up to date, with the portal refreshing its connection with Camden’s internal servers regularly.

The portal also provides some visualisations of the data, but the open sourcing of the data means that anyone with an interest can analyse and visualise to their own specifications and desires. Here’s one I made showing the highest rated alcohol licensed premises by food hygiene rating for each Lower Layer Super Output Area in Camden.

As a result, Camden Council is now able to respond to many FOI requests with a reference to the data online, rather than having to contact the person responsible for the data and having them tailor make a table for the request. Any FOI requests that cannot call on the online data, are also then uploaded to a database viewable online so that repeat requests need only be addressed once.

Will Businesses Follow Suit?

The problem facing businesses is undoubtedly a different beast to freedom of information requests. However, the same principle can be applied: make data available online where possible. Care will have to be taken to prevent personal data leaking through the web, or any effort will become self-defeating; though personal logins or API keys are suited for this.

Allowing open access to data has the benefit of forcing a business to follow strong data management practices. Businesses with thousands of databases and connected apps, each with separate iterations of the same person’s data will be able to respond to data requests much more efficiently if a single person is treated as a single entity within the business’ database. In order to create an API or web portal, the data has to be cohesive and easily understood. The end user becomes a check and balance, as poorly managed data will be picked up by them. To suit the customer’s needs, the data must be designed so that each person can access all their information with one personal login or API key.

Once strong data management is achieved, the business unit will also benefit. Master Data Management, where each entity is identifiable with a unique key, results in much more streamlined queries of databases, and less space is taken up storing information. Furthermore, to analyse a customer’s interaction with different arms of the business, less time will be wasted joining data based on name and address or other information, which inevitably change and go out of date.

What is more, referring to customers using a unique key, rather than their name and address achieves anonymisation across most of the businesses’ data. Only those with access to the data table that stores personal information against the unique identifier would be able to work out the personal details of the customer. Further compliance with GDPR is easily achieved by providing access to this table on a needs-only basis, with data analysis carried out only on the anonymised set where possible.

GDPR is just months away now and it remains to be seen how effectively businesses have responded. The losers will be penalised with crippling fines, but it will be more interesting to see which companies become the winners and take the opportunity to revolutionise their own data management in response to the legislation.

by Rob Lee

Posted on March 01, 2018