Changes in the protection of personal data – GDPR
The European Union, wishing to provide citizens with greater rights to the protection of personal data, and at the same time, extending the responsibility of entrepreneurs, has prepared the General Data Protection Regulation. According to the regulation, organizations collecting, storing and processing personal data have to adapt to the new guidelines until May 25, 2018.
Many changes require the redefinition of business processes and data management policies, identification of data processing sources, and data flow inventory. Concerns related to the reorganization of processes and the complex reconstruction of IT systems are exacerbated by the regulation’s lack of requirements strictly defined. In addition, the obligation on entrepreneurs to analyze and evaluate the risk of personal data protection on an ongoing basis may cause concern.
The regulation is the basis for offering products and services by IT companies, law firms and consulting companies. Bidders often use the argument of potential penalties that threaten non-compliance. They emphasize the cost-effective approach to the implementation of the regulation without putting any effort into treating it as a means to improve the operation of the company. Meanwhile, the implementation of appropriate solutions that ensure compliance with GDPR requirements can bring tangible benefits to the organization, in the form of acting in accordance with the letter of the law and creating additional business value.
The rights of the individual are the overriding good
Before we deal with the added value, let’s look at the regulation’s main objectives. The GDPR is primarily designed to extend and strengthen the individual’s rights to protect personal data. Every person has the right to information and the right to be forgotten, which means that, at his request, the trader should delete all information relating to him, from all sources. Part of the deletion process is quite simple – it’s easy to delete a customer record from the CRM database. Still, it’s not easy to locate the customer’s data that appeared in the email correspondence between two bank employees. The customer will also have the right to transfer his data, the right to object and not be subject to automatic decisions, and the right to limit processing. The benefits of these rights for the individual are quite obvious, and they serve to improve security and promote the free flow of services. The processing of data or the threat of their loss when changing the service provider should not influence the consumer’s decision.
From the entrepreneur’s point of view, enabling the client to use these rights is not an easy task, especially in large organizations with a huge number of data sources.
The register of personal data is an indispensable element of preparation
When approaching the task methodically, the first step should be to discover data sources existing in the enterprise and then catalogue them if they contain personal and sensitive data. If this is achieved, the entrepreneur will obtain a register of personal data, central information on where and what sensitive data is stored, and where it should be deleted.
The register of personal data will enable the customer to use the rights granted to him by the regulation. Without such a register, their execution seems impossible. The regulation allows the impossibility of meeting the client’s expectations in terms of providing him with information on the processing of personal data. However, you must then prove that every effort has been made and that it is “technically impossible” to make the data available. However, it seems that proving is as complicated, if not more complicated than just sharing. Especially since it is technically possible to create and periodically update the registry.
An innovative tool for creating a personal data register
Creating a register is possible, but it is not trivial. TUATARA offers a tool that was built specifically for the implementation of the GDPR. Apart from the possibility of integrating sources of any complexity, its main advantage is the functionality of recognizing Polish personal data, regardless of its form and place of occurrence.
This is possible thanks to the advanced techniques of Natural Language Processing and Machine Learning models, which are the basis of the solution and have been prepared with national organizations in mind. This, in turn, makes the tool the first solution of this type on the Polish market and allows you to create a personal data register necessary for the proper implementation of the GDPR.
Added value in compliance with the regulation
Imagine that a company register of personal data has been created. It is a compendium of knowledge about the existence of personal and sensitive data throughout the organization. It contains information from structural sources – from databases, applications, archival data or customer service systems, but also from unstructured sources – chats, emails, call centre call transcripts, social media. The combination of efforts to ensure the individual’s rights to the protection of personal data while at the same time organizing the data inside the company can bring real benefits – optimization of operational processes, reduction of operational risk and improvement of customer service.
GDPR: from regulation to monetization – conference
In a tripartite agreement with IBM and the law firm Gawronski & Partners, TUATARA has developed a concept that allows you to look at GDPR from the perspective of benefits for the organization. The synergy between the obligation to protect personal data and their processing allows us to create additional business value and improve customer satisfaction.
On September 12, we organized a conference on the approach to GDPR implementation at the TUATARA office. We presented the concept created by us and presented three real cases of using GDPR solutions to obtain additional business value in the banking sector.
Attorney Maciej Gawroński discussed the legal aspects of regulation, IBM and TUATARA experts talked about the technological area necessary to comply with GDPR. For the first time, we have presented a unique tool on the Polish market, based on advanced natural language processing algorithms, which enables the discovery of sensitive data in structural and unstructured sources and keeping a register of such data in each organization. Additional value can be obtained from the knowledge gathered in the register.
A picture is worth more than a thousand words – you can experience the conference once more by replaying the recording from the online broadcast.
We closed the conference with an extremely interesting panel, which was attended by:
- Maciej Gawroński, attorney-at-law – Expert in Business Law and Information Technology Law, Managing Partner, Gawronski & Partners
- dr Maciej Kawecki – Coordinator of the National Data Protection Reform, Deputy Director of the Data Management Department, Ministry of Digital Affairs
- Marta Olipra-Kruszka – Direct Campaigns Expert, PKO Bank Polski SA
- Moderator: Grzegorz Kuliszewski, Financial Sector Director, IBM