General Data Protection Regulation – Right to be informed – Technology Strategy

The Right to be Informed (about processing) under the General Data Protection Regulations relates to information gathered either directly from the individual, through their interactions with the organisation or via third parties.

The technology challenge with such a right is making sure that the correct individual is identified and informed about the processing. Even the process of informing the individual is fraught if that individual has already notified the organisation they do not want to be contacted. From a legacy systems viewpoint good search, matching and linking is required to ensure the right individual is contacted and they have given prior consent to communication.

Organisations that have implemented a CRM (customer relationship management) system (such as SalesForce, Dynamics CRM or Siebel) to provide a ‘single view of the customer’ will be able to use Master Data Management Technologies (such IBM InfoSphere or Informatica PowerCenter) to provide match and linking for information related to individuals to enrich the CRM with consent information. The consent information should be evidentially recorded via a secure timestamp and cryptographic hash and access provided to those systems that need to enforce compliance (via a RESTful interface using a secure hash as a key).

Tactics for compliance include scanning and processing paper forms into an indexed evidential document store which provides a (RESTful) interface for providing compliance information. When new information is obtained about the individual existing processing and data consent will need to revalidated and the individual informed of the change. Typically I have seen ElasticSearch used for search indexing using an Enterprise Content Management System (Alfresco Digital Business Platform or IBM FileNet) for storing the documents and the results stored in the CRM system synchronised with a evidential status store based on NoSQL or SQL technology.

The right also conveys the need to inform the individual within a reasonable time and in a manner acceptable to the individual: easily understood and convenient. This could be post, e-mail, SMS or notification depending on the client’s needs especially to comply with accessibility requirements. These facilities all need gateway technologies such as print, email/SMS (Twilio for example) to ensure the individual can be contacted.

From a open source viewpoint ElasticSearch (for search), Apache NiFi (for search and linking) and Apache HDFS (for document storage) and the database of your choice (MySQL, Postgres, MongoDB or HBase are on my shortlist). Adding an API Gateway (Mule, Knox or Kong) provides other systems with the consent information which can trigger notification to the user when the new information is recorded or processing changes (using Event Stream Processing using Apache Storm or via AWS Lambda/Azure Functions if cloud based).

Overall the strategy to support this right alludes to an event driven architecture as the strategic way forward so new information being collected or obtained triggers an evaluation of the change which in turn triggers notifications to the individual. Whether they are spontaneous single actions or batched into meaningful, yet still timely, notifications the event driven approach still stands.

 

General Data Protection Regulation – Technology Strategy

The GDPR (General Data Protection Regulations) are part of the evolving legal landscape as digital transformation changes society’s interaction with organisations which come into force in the UK on 25 May 2018. Regardless of Brexit if an UK organisation wishes to process data about individuals from Europe the regulations need to be followed.

The regulation forms the policy around privacy-by-design to complement the security-by-design which feeds into an organisations technology strategy.

In summary the GDPR adds:

  1. The right to be informed (of the use of data)
  2. The right of access
  3. The right to rectification (of errors)
  4. The right to erasure (to be forgotten)
  5. The right to restrict processing
  6. The right to data portability (to move to a different supplier)
  7. The right to object (to processing)
  8. Rights in relation to automated decision making and profiling.

Like the original UK Data Protection Act, the GDPR aims to make sure that information is used appropriately, accurately and not excessively by any organisation. The change is not only the provision of new rights but an new enforcement regime with much stiffer penalties so the trade-off of investment vs. penalty is skewed towards more investment. For some organisations the penalty is an existential threat to the company and definitely something board will care about and the shareholders will take notice in the annual report.

My experience of non-compliant organisations under the Data Protection Act as a customer remind me of the need for such protections. A financial institution tried to derive my financial profile from my banking records not recognising the fact that I have multiple bank accounts for different purposes and the individual accounts gave a poor perception of my overall financial needs. Similarly a credit card company assumed I was a bad risk due to an error in my employment status and so raised by interest rate only to plead me to stay when I corrected the error, cleared the balance and cancelled the card.

As a former data protection controller I understand the pressure of balancing the needs of the business against the regulatory framework and so I offer some technology strategy solutions to meet these needs.

From a technology strategy perspective there are a number of technologies and design patterns than provide solutions to each provision under the GDPR. Organisations with legacy infrastructure will be challenged to comply with each unless they take remedial action through tactical fixes followed by strategic change.

In this series I will cover the eight rights and offer tactics and strategies to comply with each in the form of technologies and design patterns.

For more please see the UK Information Commissioner’s Office guidance: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/