GDPR: Secure your data, but don’t lock away the insight
Technologies and strategies for GDPR compliance must consider marketers’ needs, says Aberdeen Group's Judith Niederschelp
GDPR has captured board-level attention in most organisations. The severity and scale of potential fines have pushed it up the agenda, despite uncertainty over how it will be enforced. Senior decision-makers now understand the requirements, and they’re keen to get ready for the 25 May 2018 deadline.
But before enterprise-wide initiatives for compliance are rolled out, it’s vital that marketers’ data needs are fully understood. GDPR strategies and technologies place a lot of emphasis on controlling and reducing access to personal data. However, this requirement needs to be interpreted and implemented with care. Taking a blanket approach risks placing unnecessary barriers between marketing professionals and essential insights.
Not all data needs to be protected under GDPR
Many organisations are currently in the ‘data discovery’ phase of GDPR preparations. That is, establishing how much personal data is held – and where – in order to protect it.
There can be a tendency to leap straight from this phase to the selection of data protection technologies and procedures. But it’s important to take a strategic approach to data governance first. This is about understanding and managing the way data is handled, controlled and processed. And it is probably the most complex part of GDPR compliance.
A balance needs to be struck between protecting personal data and ensuring the business functions that need it can continue operating smoothly post-GDPR. Enterprise-wide initiatives for safeguarding data must consider the core business processes that require the data in the first place.
Data should be categorised to ensure that protection measures and controls are proportionate and cost-effective - not all data needs to be protected under GDPR. Establishing policies for the way different classes of data are handled by human users and automated business processes can facilitate smooth day-to-day operations in-line with the requirements.
Marketing-friendly tactics for GDPR compliance
There are many innovative technologies available, providing a wide range of data security controls. However, our analysis has revealed that even the most sophisticated solutions use a combination of just six fundamental approaches:
1. Do nothing
Not all data needs to be protected, so don’t waste time and resources on it. This underlines the importance of identifying and categorising data at the outset.
2. Manage access
Set up a centralised store for personal data, and only provide access to authorised, authenticated users.
3. Monitor and filter usage
The solution should offer visibility of personal data that's being accessed and distributed as well as flagging data movements that potentially violate security policies.
4. Encrypt the data
Encryption helps protect the confidentiality and integrity of personal data. Developing a common approach to managing the lifecycle of encryption keys supports a greater scale of encryption and reduces the total cost of ongoing management.
5. Substitute non-data for data
Approaches such as tokenisation can be used to substitute sensitive information with random values while maintaining the length and format of other fields to minimise the impact on business processes.
6. Apply persistent controls
Rights management solutions can control how data is used even when it leaves the boundaries of enterprise-managed computing infrastructure.
Some of these approaches render data anonymous, meaning that GDPR stipulations do not apply. This is ideal for enterprise-wide initiatives, and means marketing and data professionals can continue extracting value from data assets.
The holistic view
GDPR wouldn’t matter quite so much if data wasn’t so essential to revenue-generating business operations. It’s important to provide a productive, friction-free environment for users and automated processes that require data, while ensuring personal information is protected. Marketers need to engage with the GDPR decision-making process at the earliest opportunity to ensure data protection and data usage requirements are met.
This free comprehensive guide explains what the General Data Protection Regulation (GDPR) is, how this incoming data protection law will affect your organisation, and the practical steps to take to prepare for it.