SPONSORED SECTION
GDPR and Data Maps “X” MARKS THE SPOT TO DELETE By Julian Ackert
D
ata is one of the most valuable assets of businesses small and large. In fact, there is an entire industry of data brokers that do nothing but buy and sell data. There is so much potential value in data that some companies dedicate their own resources to build and maintain internal teams and practice groups with a sole focus on data analytics. For companies that do not have internal resources, there are a plethora of options for outsourcing. The potential value of data and other electronically stored information (ESI) is not restricted to corporate or public data (e.g., sales forecasting, stock market trends). Companies now consider personal data a commodity, in some instances the most valuable data. The potential for invasion of privacy requires that companies assess and strike a balance between the use of personal data as a commodity and the privacy of individuals. A very relevant example of this is the now defunct company Cambridge Analytica, which in my opinion will become a case study in most business analytics curricula. We’ve been using maps for a very long time. Pirates used maps to find buried treasure. Explorers like Lewis and Clark created maps of their travels to document new territories. Today, automobile navigation systems use maps to guide drivers toward desired destinations. In each of these scenarios, maps were used for location purposes. But as corporations deal with the latest milestone in compliance, the EU General Data Protection Regulation (GDPR), maps can be used to get rid of something — specifically, personal data that falls in scope of GDPR Article 17, “The Right to Erasure,” commonly re-
ferred to as “The Right to be Forgotten.” The language of Article 17 starts with “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.…” What follows are the specific requirements and exceptions. PERSONAL DATA DEFINED
But what constitutes personal data? Article 4 of the GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directA DATA ly or indirectly, MAP ALSO in particular by reference to an HAS USES identifier such OUTSIDE as a name, an GDPR. identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” This is a broad definition with potentially devastating impacts for businesses. The complete removal of this type of data could have a negative effect on future revenues, especially for companies that mine for data on consumer information as part of their marketing and business development activities. Is that potential risk the cost of doing business with the EU? If the GDPR expands beyond the EU, would that be the cost of doing business globally? It is important to understand that there is another option that allows for the
preservation of the data’s value. Rather than complete removal of personal information, a company can leverage a data anonymization process to remove personal data, and sanitize the data sets that are used for any data mining tasks. With appropriate implementation of data anonymization, a company may be able to maintain consumer-related information in a manner that does not allow for the identification of a ‘data subject’ as defined in GDPR Article 4. However, truly anonymizing data can be a complex exercise. The evergrowing and changing sources of data can make something that was once anonymized identifiable again. Additionally, if a company does not have an existing enterprise architecture with data marts and warehouses, implementing them, or integrating data anonymization, may be more expensive than selective deletion of consumer information. A return on investment exercise could be the right course of action before new implementations and technologies are developed. If a company is asked to delete personal data in accordance with the GDPR’s specific requirements, it needs to first understand where personal information resides within its data storage systems. This could be difficult. Companies have a myriad of data systems with data flowing in, out and through — potentially billions of records every second. Corporate data systems may have technical documentation that could provide a good baseline for a data map. For example, data dictionaries, which define the contents of an application database, and data flow diagrams, which identify the flow of data within a system, can both be used as
23