GDPR and Data Vault – Compliance

GDPR and Data Vault – Compliance

GDPR and the Data Vault – Compliance Part 2

Our earlier blog concluded that GDPR is likely to morph into an ongoing Data Governance project that extends beyond the immediate scope of GDPR’s personal data. That is certainly the case in our clients’ businesses.

GDPR places an obligation on you to prove compliance

GDPR places an obligation to support a set of rights of individuals about whom you hold personally identifiable or sensitive data. When these rights are implemented they take the form of a set of policies, accountabilities, processes and system changes.

GDPR also places an obligation on you to prove compliance – that the obligations placed on you are being met, i.e. that the policies, accountabilities and processes are more than just documents and that they are being followed. This requires formal, unalterable records to provide evidence that policies and procedures are being followed – creating another system, or systems of record.

In a small business, or maybe as a stop-gap solution, tracking compliance can be managed using a spreadsheet and email records. Individuals’ applications to exercise their rights can be logged and dated. Any stages in delivery of response (e.g. notifying of an extension) can be additional columns. Evidence of communications can be saved in a special email sub-folder. Weekly copies of the tracking sheet could be printed off, signed, counter-signed and filed.

Most businesses will want to implement requests as an automated workflow and a CRM system (using service management functionality) would seem to be an ideal to support this. CRM systems integrate well with email, call centre and web forms, can be configured to hold the history of contacts and actions taken to satisfy each service request and will track and demonstrate procedural compliance.

Requests to exercise data protection rights are a sign that something might be wrong with the trust customers or employees have with your organisation

Requests to exercise data protection rights are a sign that something might be wrong with the trust customers or employees have with your organisation or with suppliers with whom you share their data. What is the context causing this level of mistrust that leads to a request to disclose records, cease processing or forget an individual? How is the process we follow to respond to user requests performing over time – are we more or less efficient? Who is asking – are they valued customers, and did they churn? Were there external reasons for a spike in requests – maybe a Twitter post, or a newspaper article?

These sorts of analyses require GDPR process data to be linked back into and merged with other system data where we hold this data or can source it from an external platform such as Twitter – i.e. we need an integrated Data Warehouse of the sort offered by a Data Vault 2.0 solution. We’ll need a privacy policy that says we use individual data to improve customer service and experience that allows us to perform this analysis.

Why a Data Vault? It offers an integrated view of key entities, such as customers or employees much like other integrated data warehouse models. Where it differs is that the hub and satellite structure used in a Data Vault model contains data clearly separated by source system and individual identifiers. It both integrates the data and keeps it clearly separated. This provides the data needed by your data scientists or analysts to identify reasons or patterns behind GDPR rights requests.

And – importantly, if a data subject requests the right to be forgotten you can easily locate their data in the data warehouse, identify where that data came from in the source systems as the data is assembled around a hub record representing that individual, and take steps to forget them.