Master Data Management and GDPR
Whilst I have had some time ‘on the bench’ I thought I would do some investigation into the impact of GDPR on Master data management practices. To be honest I have usually left all things ‘Data Protection’ to the IT and Legal teams running anything vaguely legal past them for a compliance check.
So to my findings....... GDPR is an EU Regulation (as opposed to directive) and this means it automatically applies to ALL EU member countries (and some non EU I’ll come back to that later) and its automatically legally binding.
The aim is to put power into the hands of the people. To give us increased powers over our personal data how it is stored, what is being done with it and why. Organisations must get comprehensive consent from us to collect and use this data, opting in or out with a check box is no longer sufficient. That sounds really great “power to the people” but in reality how many of us in the general population are really going to be that interested?
For organisations of over 250 employees that collect, hold and process this personal data however regardless of whether ‘the people’ are ‘bothered’ the regulations have some significant impacts not least the risk of a fine of up to 4% of Global turnover for non compliance.
So what does that mean for me working in Master data Management? From a Master data perspective there are a number of areas where we are collecting and storing personal data. I’m thinking primarily Customer and Vendor data but this could also include employee master data (an interesting feature of the new regulation is that encrypted data is also now included under the legislation). For those of us managing master data outside of the UK we might think we’re not impacted however if you are collecting storing or processing data on EU residents then you are expected to meet the regulations too. There are also stricter requirements around only holding relevant and up to date data with consent and not holding this data for any longer than is necessary (though I can't find anything that specifies what this actually means).
Many of these aspects should already be part of a best practise approach or at least what we strive to achieve - collecting only relevant information and keeping this up to date, having processes to deal with redundancies etc.
So what might we need to consider post GDPR? The initial data collection process will need to be clearer in terms of seeking active consent (where relevant), the opportunity to withdraw consent must also be provided (and both recorded somewhere) along with clear purpose for requesting the data. Interestingly a couple of firms have already been fined for emailing customers and asking them to clarify such consent so I can see keeping the data up to date could be challenging.
Greater attention will need to be given as to what data is to be collected, how long the data will be held for (which may be different for different processes), and how the data should be deleted when no longer required with policies and procedures being firmed up. A new strategy, process and procedure will be required for handling of personal data requests, the regulation requires that an individual can request to know exactly what data is being held about them and why, they can also request that their data be transported to another organisations database (CSV format). How therefore do you ensure the person requesting the data is who they say they are? Who is going to take ownership of managing such requests?
In many ways I can see that this legislation may actually help re enforce many of the best practise principles for Master data management and give further leverage for investing in sound master data management practises given there is now a ‘legislative’ need.