GDPR & SAP BI Compliance
What is the significance of the new General Data Protection Regulation (GDPR) for BI practitioners?
How will the May 25 GDPR deadline affect your BI deployment?
How will you:
- Embed data privacy into operations?
- Manage information security risk?
- Maintain the rights of data subjects?
These are not easy questions, and the points I make in this post are not a substitute for legal advice. However, we can look at the broad strokes of the legislation and get an idea of the scope of effort required to bring your BI practices into compliance with the GDPR.
Privacy Is the Price We Pay
Consumer trust is essential to the long-term viability of the digital economy. To foster that trust, the EU has developed the GDPR, which aims to give citizens of the EU control over their personal data.
By clarifying regulations around data privacy, the regulation also aims to simplify compliance for businesses. Of course, one might be forgiven for believing the opposite, because the introduction of any new data privacy regime has complications and pitfalls for all business entities.
One aspect of the regulation that may be worrisome for business: it has teeth. A violation can lead to a fine of up to 4% of annual global revenue, or €20M, whichever is greater. In addition, the GDPR gives data subjects the right to seek compensation for distress caused by the mishandling of private information, which may vastly increase the cost of data breaches beyond the statutory penalties. The objective seems to be to make data privacy difficult, if not impossible, to ignore.
Privacy is the price we pay for doing business with EU data subjects.
Embedding Data Privacy into Operations
The question may arise for many companies outside of the EU: does it make sense to segment personal data into EU and non-EU, or does the standard imposed by the GDPR present a best practice for data privacy, regardless of the data’s origin?
The GDPR embraces the principles of Privacy by Design. This means that privacy cannot be an afterthought, but must be embedded in your business and BI processes. The GDPR is meant to change the way you think and act with regard to privacy.
Data privacy should be regarded as a best practice in your business processes, rather than as an inconvenience.
Managing Information Security Risk
One way to reduce information security risk is to limit the data subject information you gather to what is specifically necessary to your dealings with the data subjects. The GDPR codifies this practice (with special categories that provide exceptions), and although it may run counter to the instincts of analysts looking for the thinnest sliver of competitive advantage, you have to be able to justify your requests for information.
Another way to limit information security risk is to place an expiration date on it, and this is in fact required by the GDPR. You must define a point in time at which personal information can no longer be processed for the purpose for which it was gathered.
In general, private information should be anonymized and encrypted at every opportunity, and you should note that the GDPR applies not just to information that is clearly private, but also to any data that can be traced to identify an individual (for example, IP addresses).
Maintaining the Rights of Data Subjects
In general, data subjects have the right to control the who, where, when, why and how of the ways in which their personal information is collected, processed and retained.
Perhaps the most important of the rights of data subjects is the right to understand and determine level of consent. You must have clear consent to use the data for the purpose for which it was collected.
This right needs to be considered throughout your BI processes ‑ from the collection of data, through the creation of BI content, and its distribution for use in decision making. The potential risk is large, so you must maintain an awareness of where and how personal information is used, as well as an awareness of who has access to such information within your BI system.
Note: this post is the first in a series of posts on the GDPR, including: