Bringing in a GDPR privacy programme is hard work, said Robbie Burgess to the audience at DataIQ's RegTech event, but it has to be done despite the significant challenges.
To set the context, she works for RELX group, a FTSE 100 company which is the central parent company of four or five businesses with an (almost) federated structure. She is the global data privacy programme lead which effectively makes her the GDPR programme lead. The company has its roots in publishing but now describes itself as an information and analytics company as it both manages and sells data in lots of different forms. This is both B2B and B2C data and some of it is very sensitive – such as the data handled by its legal solutions business Lexis Nexis, as well as employee data, supplier records, customer records.
The breadth of data is just one of the challenges. Another is budget control, as she doesn’t hold the purse strings, because “all the business around, they make the money.” She had to fight for funding and convince the business to pay for this project, so there was a lot of persuading to do. A further challenge is trust. She said that as the businesses are very independent and are used to a very democratic way of working, they don’t really trust the parent company at the centre to know what it is doing. So, getting buy-in has been difficult.
The first thing to do was to explain what GDPR was because it was a mystery to many in the business. This was the first step in making the case for GDPR. After that case was made, the case for tech was much easier.
Burgess recommended to the audience that they point out the upside of GDPR in relation to the position and view point of the person in opposition. For example, if the person who needs persuading is the CTO is who is concerned about the reputation of the company, or an analyst who is worried about data dirty, you could say that at the heart of GDPR is really good data governance. It will mean the company will have a really good base to understand customers better, and organise data in the right way because legislation is driving better respect for data. If the person who needs persuading is worried about sales and making profit, point out to them that customers are less likely to spend with companies they do not trust with their data, as revealed in a recent Accenture survey.
By doing this she was able to convince the businesses that this is the time to get all their data sorted and to make a step change in the way managed the data is managed, and so they looked at enterprise data governance solutions.
However, she was able to forgo some tech. She said they already had a learning centre, which keeps track of who has and hasn’t been trained in data handling. One of the principles of accountability of GDPR is everyone needs to know what they are doing and a learning centre assists with that. Burgess doesn’t have a preference centre as she hasn’t seen one that she likes and can meet their complex needs. She advises that if you are already managing preferences, it may be possible to leverage the existing technology to do that.
Burgess decided that they needed a solution with an enterprise style licensing model, so the businesses would have some autonomy, that would also have transparency so she could see what all the businesses were doing.
It had to be able to implement a core spine of a questionnaire for people to answer but could be easily adapted because the businesses are different. It needed security permissions that could enable a federated approach. It also needed have a workflow with multiple entry and be able to support a long-term project.
"The real purpose of this technology is still emerging."
Once she chose a piece of regtech Burgess said she interrogated it beforehand to make sure it could be trusted and that it was well backed. “The real purpose of this technology is still emerging, so when we licensed out technology, their solution for this data inventory, it’s not entirely fit for purpose, we’ve had to make it work that way,” she said.
"This whole proces gives us a really clear road map of what we've got to do next."
She said that mitigation tracking is difficult because they are not just using to achieve the Article 30 requirements of documenting processes but to also do some discovery and uncover where they’ve got issues they need to resolve. The key discoveries they got from their tool were that they have inconsistent retention policies across the entire business, a lack of clear permission management in certain places, and that they haven’t got privacy impact assessments or data protection impact assessments.
“This whole process has helped us drive out all that understanding which gives us a really clear road map of what we’ve got to do next,” she said.
Throughout this process, Burgess has seen the way in which different people react to the mention of GDPR. She said that some people were rubbing their hands with glee, some were terrified, some thought it was a total waste of time, and some were genuinely worried. Burgess herself was pleased at the idea of the regulation as she thought: “At last, I’m going to be able to organise everything in the way I think the business should.”
Laura Scarlett, data transformation director at The Ramblers was also present at RegTech and she told the audience of how, in her experience, three distinct ‘tribes’ in the data industry interact with each other and with data.
The “steady Eddies” of the IT department are often working with poor quality data and have a fear of getting the blame around working with it. Digital departments can have an inflated sense of their own importance as they were often introduced into businesses in a blaze of glory. Their close contact with customers and clients can lead to junior digital people making major strategic decisions. They can also be seen as arrogant at times. Finally, Scarlett explained that people in marketing departments are under a lot of pressure as their roles have been eroded since their heyday in the 1980s and 1990s. These people are frustrated that they are doing much more content and much less strategy.
Interestingly, Scarlett said that people in all of these departments avoid the responsibility of handling data whenever possible. Perhaps using the techniques that Burgess suggested of finding out what concerns them the most and explaining how better data governance could alleviate that concern, might do the trick.