The basics of data mapping in the age of the GDPR

Now organisations are preparing for the entry into force of the GDPR (General Data Protection Regulation) in 2018, the first stage for many of them will be to acquire an overview of their whole information chain. This is the first step for enterprises in terms of best data management practices when preparing for the new regulation.

Knowing the source of data concerned in privacy

To be fully prepared, organisations must know the source of privacy-relevant data; where does it come from, where is it going, how is it processed and who is consuming it? Given the increasingly demanding data management environment, navigation among this data calls for the implementation of more and more complex data mapping capacity.

To employe an analogy: before the advent of mobile technologies, you bought road maps when you visited a new region, because it was the only way of finding out where you were in unknown areas. But these maps were static.  They fast became obsolete in the absence of capacities for dynamic analysis of context.  In other words, there was no way of updating for road works, traffic problems, newly built roads, etc. Any change to infrastructure meant drawing a new map.

There was also an issue with a lack of transparency.  For example, with no means of geolocation, passengers had no way of knowing whether their taxi driver was actually taking the fastest route to their destination. The introduction of GPS changed everything. Passengers now have a more precise and dynamic view of an area, with constantly updated details of traffic, roads and weather conditions. Today, we even use GPS on routes we know in order to keep up with any problems that may crop up along the way.

The need for a precise view of data

We are currently witnessing a similar change when it comes to data management. Previously, many enterprises had no need for dynamic mapping of their data. It was enough for them to have an overall representation of their structure on paper. But now, with the explosion of data, things are evolving, and this change needs to accelerate still further with the entry into force of the GDPR.

Consequence: businesses will need a more precise view of their data. For example, they will need to know where it is stored, but also to be familiar with the global context; in other words, a dynamic real-time view of all the data. They will also need to be able to demonstrate transparency as regards the rights of those concerned, such as the right to be forgotten, the right of access and the right of correction.

Deep navigation in data management

Having explained the value of managing metadata, starting from this 360° view, let us now look at the deeper management of data to uncover the practical applications of the concept. Once again, a recurrent theme stands out: the vital importance of being able to make heterogeneous collections of data match in order to achieve management which complies with the requirements of the GDPR.

One of the principal effects of this regulation will be to constrain businesses to adopt a more global vision of their private data and its management. Previously, organisations managed these aspects on the basis of their confidentiality, then processed the specific consent given by users, but to a limited extent. In general, marketing departments , customer services or HR can be held responsible for the management  of private data and notifying the competent authorities.

But with the GDPR, businesses will now be required to maintain a global vision of the private data they manage. An enterprise may know an individual in a multitude of contexts: as a target for marketing, a customer in their CRM system, a subscriber to digital products or services or a user connected via a connected object (IoT). Overlaps between these profiles make it possible to track their activities or their movements.

All of these elements together show the global vision that business need to have on their data in order to comply with the GDPR.

Acquiring a complete view of data

To obtain this global view, we must start with private data, performing what is known as taxonomy on the data.  Applied to an employee, for example, this involves collating information on their performance, their pay, their social benefits, and even data on their health or their families. All this information goes to complete a glossary (possibly using high-end professional tools).

It then becomes possible to allocate responsibilities on the basis of the field within which the data falls, by for example designating a body responsible for employees’ health data or performance data. Then those responsible can choose the basic principles for their data policy, inter alia by defining a retention strategy (in other words, how long it needs to retain particular types of data before archiving or deleting it).

From this point, it is possible to provide deep processing of critical data (passport numbers, dates of birth, gender, number of children, civil status and other identification data, for example).

Once this process is engaged, it will be easy for the business to determine which collections of data need to be controlled. Even not knowing exactly where all this data is stored, it will at least be able to catalogue the information that needs to be managed and that to be taken into account in the event that a customer requests amendments or deletion.

Establishing adequate connections

The next step is to connect the data points that need to be protected using a metadata management technique known as “stitching”. This method consists of linking the data items in question to the physical system which manages them. If the organisation concerned is interested in data on identities, it will have to connect to the HR system, but also possibly to the payroll management system.

It will undoubtedly also have to take account of the fact that identity data can be found in the recruitment system, since the individual in question was a candidate before being an employee. Lastly a check will have to be carried out on the professional and travel expenses management system, which can contain of sensitive information, not least credit card numbers.

For compliance, business will thus have to implement the “stitching” process described above to get a full view of the lifecycle of their information. Thus, when applicants become employees, the business will be able to reconcile all the information concerning them in its data environment.

Solid foundations

At this stage the business has already trodden a long path as regards metadata management:

1. It has developed a form of dynamic mapping, as described in our analogy with the GPS;
2. All the elements have been defined and linked to the system which uses them, and the relationships and dependencies between each system have been established.

The same principles apply to data masking. Here the organisation uses its mapping and data integration capabilities to apply recommendations to the data. The aim may be to disguise (or even mask completely) the precise date of birth of an individual within the system, or to avoid segregation between applicants of different generations within the recruitment system.

As we have seen in several instances, good management of metadata requires a dynamic vision of data. To pursue the GPS analogy, you need to be able to view the customer pathway. But business must also be able to react each time that an exception arises. Metadata management is not just a question of mapping and visualising data. It also reveals what measures to take in the event of a problem and supporting advice. After all, the most recent GPS systems are not content with just telling you where there are tailbacks. They go as far as suggesting a completely new route.  It is precisely this type of benefit that metadata management can offer enterprises.

A mature technology

Previously, and despite the explosion in the volumes of data recorded in many sectors, the market in metadata management remained restricted to highly regulated industries such as banking, financial services and health services. But with the GDPR this need has now been extended on a far wider scale.

This could be the moment to consider metadata management as a step towards operationalising the data protection process, whether for this new regulation or another.