Data Matching for GDPR

GDPR protects Internet users from companies acquiring their info without consent. It has a direct impact on the day-to-day operations of companies that are doing business online. Most of these businesses rely on “cookies,” to create customized ads and direct consumers to websites and products – without consent. Before GDPR, customer data would be recorded for marketing, advertising, and even for business use, of which the user would have no idea!  

As part of GPDR processing, the citizen will have the right to know what data is collected and how it is used. Moreover, the company will have to disclose how long it is going to store it. This means that you should update your privacy policies more often. In fact, you will need to update them each time you employ a new way of using data. Else, you will still be allowed to collect data. But you will not be able to use it.

Despite the GDPR’s reputation being the world’s toughest data protection laws, companies are still finding ways to be sneaky. Giants like Facebook, Amazon, WhatsApp have faced millions of dollars in fine for violating GDPR policies. For example, WhatsApp was slammed with a €225 million GDPR penalty by Ireland for not properly explaining its data processing in its privacy notice.

As if deliberate violations were not enough, some companies accidentally become victim to GDPR fines. These ‘accidents’ are usually caused by the lack of data governance and security. It’s only after the companies have been slapped with a penalty do they realize the gravity of the situation.

One of the most powerful components of the GDPR is the fact that citizens can file legal suits against companies that refuse to ask for consent or continues to use personal data despite the customer’s explicit “no.” Now this is where it gets tricky. For the most companies don’t deliberately violate GDPR rules – but – if they have old, obsolete, duplicate, or untreated data, they could unknowingly violate GDPR rules.

 Here are five common scenarios of companies breaching GDPR guidelines.

Scenario 1: Transfers and migration of data

GDRP policies strictly state, ‘Before an organization transfers any personal data to a third country or international organization, the European Commission must decide that that country or organization ensures an adequate level of protection. The transfers themselves must be safeguarded.’

The transfer of data during mergers and migration is highly critical.

An example of how companies can mess up is when two companies are combining their customer databases, but don’t properly label which company is responsible for managing and controlling that data in the future. Worse, they don’t solicit permission from customers before bringing them into their new, combined database. The GDPR requirement states that any processing of personal data requires clear documentation of who is responsible for ensuring compliance with GDPR regulations. Additionally, any transfer of personal data must be done in a secure manner and meet other requirements such as having an appropriate legal basis (i.e. obtaining explicit consent from customers) prior to initiating the transfer.

Failing to take these steps can result in hefty fines under GDPR rules since it could constitute a breach of personal information security expectations that customers have when providing their details to a business or organization.

Scenario 2: Collecting too much data

Like it or not, the fact is, companies love hoarding data! There is a misleading belief that more data means more insights. That’s a myth many of our guests have actively busted in our webinars.

Too much data doesn’t lead you to accurate insights, instead, it can cause havoc and have your company in direct violation of GDPR rules.

One of the main requirements of GDPR is that companies must collect only information that is necessary – such as cookies that ensure a website’s core function and its security is not hindered. Other cookies for advertising or marketing must be optional.

One classic example of this scenario was when Portugal’s data protection agency (CNPD) fined the Portuguese telecoms provider NOS €400,000 for collecting too much personal data from its customers. NOS was collecting customer’s full address, date of birth and bank account numbers when they signed up for a contract or paid their bill online. This excessive information collection violated Article 5 of GDPR, which requires that companies only collect what is necessary for specific purposes. Clearly, collecting a customer’s bank account number was not necessary! The fine imposed by the CNPD was a reminder to all companies that they must adhere to GDPR regulations and ensure the appropriate handling of personal data.

Scenario 3 – Poor data quality

Poor data quality such as duplicate data can cause a direct breach of GDPR policies.

For example, In October 2019, Austria’s data protection authority fined the Hotel Reservation System (HRS) €10.5 million for storing information on over 35 million customers without their consent. The company was storing duplicated customer data and failed to remove it despite requests from customers, who had already requested that their data be deleted. HRS’s failure to comply with GDPR requirements to delete customer data upon request violated Articles 5 and 6 of the regulation, resulting in a hefty fine.

Scenario 4 – Poor data security

Companies failing to secure customer data adequately can also be fined for GDPR violation. This includes data systems that can easily be hacked into, leading to the breach of private & sensitive information – such as the financial data of a bank’s customer. When companies don’t invest enough in software, systems, and technologies with the latest security patches, they risk being attacked, as we have seen happening plenty of times with financial giants like Experian. Because GDPR requires companies to take necessary steps to protect any personal data they handle of EU/UK citizens, failure to do so can result in hefty fines and penalties.

Scenario 5 – Using data for purposes than what it was intended for

Sometimes, companies make the poor decision of betraying a customer’s trust by using their data for other purposes or services that are not related to their main purpose. For example, a company may collect customer’s emails to send out promotional offers, but then uses the same data to target customers on social media or have their lead generation team follow them on social media without consent. This would be a clear violation of GDPR policies.

Companies must ensure that any personal data they collect is used only for its intended purpose and kept no longer than necessary, otherwise they may face serious consequences from authorities.

There are dozens of such scenarios and real world examples where companies deliberately (such as Amazon) or accidentally find themselves paying hefty GDPR fines just because they failed to take charge of their data governance and quality processes.

However pessimistic some people are, GDPR is also an opportunity for your organization to take a holistic approach to your data governance and improving your data strategy, ensuring it meets sanctions and GDPR requirements.

Remember, being fined for GDPR doesn’t just have a financial impact but also ruins credibility and business reputation. You can avoid all these mishaps and financial pains by developing a GDPR compliant data strategy.

Some basic steps that you can start with include:

•  Identify where personally identifiable information (PII) is being stored and how it is being used.
• GDPR holds that you maintain records of your data processing activities. For the personal data, you will have to document its source and also to which 3rd parties you are sharing it with.
• If you are a public authority or undertake processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale and includes special categories of special data (health, religion, and the likes.) and personal data related to criminal convictions and offenses, it will be mandatory to appoint a Data Protection Officer. However, taken in consideration the broad scope of GDPR and its complexity, we advise you to appoint somebody to take responsibility for GDPR compliance even if you don’t fall in one of the above categories.
• Identify the type of data collected and whether it meets GDPR guidelines.
• Identify the risks and lapses your third-party partners may have. Do they have vulnerabilities on their website that hackers can easily crack to obtain customer information?
• Conduct a risk assessment of all data processing activities by conducting regular audits and assessments.
• Create master records of your most accurate, complete, and verified data.
• Implement appropriate technical and organizational measures to ensure secure storage and protect against unauthorized access or misuse of sensitive data.
•  Invest in technologies that lets you perform basic tasks like data matching, data consolidation with relative ease.
•  Invest in training employees to be aware of the challenges of dirty data, the threats with poor data security and how they must handle sensitive customer data.

It’s critical for companies to deal with duplicate data and security risks to avoid a data breach – which is becoming increasingly common as hackers identify vulnerabilities in systems.

Master records are the final, reliable, accurate version of your data. You need master records if you want to be GDPR compliant.

A customer 360 view on the other hand is the ability for your company to view the customer’s journey from the time they start an interaction with your organization to the time they pay for a service and decide whether to stay on as a loyal customer or to leave with a bad review.

Both these forms of data management can help you identify risks, vulnerabilities, and show which part of your data ecosystem needs attention.

To create master records and customer 360 views, you will need:

1.     A data matching solution that allows for data preparation, data cleaning, and data consolidation
2.     A management that is willing to work proactively towards data health & invest in master records and customer 360 views
3.     A scalable strategy that starts with the most critical data sets such as financial data or CRM data

Companies that understand their data ecosystems and actively take steps to improve it often stay ahead of the curve and are able to risk violations as well as identify opportunities ahead of their competitors.

Most organizations fear delving into their data system – the work, manpower, and costs often stretch into years of expensive effort. For example, it would take one data analyst one whole year just to complete the identification and solution proposal stage. Then another 6 months to get approval, then another to get started, and another to hire more people…..and so on. Five years later, the company is still stuck in the past with no master records in sight.

They would rather pay off a fine than be bothered with fixing their data but is that a viable approach considering the present and the future is fully data-driven?

Maybe not.

In today’s AI-enabled world, you don’t really need to spend weeks and months cleaning or matching your data. You can use a no-code solution like WinPure to create a GDPR compliant strategy by relying on three key functions:

1.   Effortless data matching: Spend a fraction of the time in cleaning and matching data. If it generally takes your team 3 weeks to clean and prepare data for a report, with WinPure, they can do that in 3 days. With the remaining time, they can work on perfecting the single customer view, optimize data collection processes, and fix data quality issues.

2.   Complete framework: Prepare, clean, transform, match, and consolidate data by staying within one dashboard. All you have to do is plug in the data and let the tool use its proprietary algorithm along with a combination of fuzzy algorithms to weed out duplicates and problematic data fields. No more flipping between dashboards or platforms.

3.   Codeless, designed for business & IT users: Create master records without having to write a single line of code. We’re no-code/zero-code because we empower both business and tech users. We believe the two should work in collaboration because both own different aspects of a dataset – the business user understands context, while the IT user understands function! With this collaboration, it becomes much easier to identify loopholes and prevent GDPR crises.

With the use of a solution like WinPure, you can test drive your data strategy, show results, and convince organizational leaders to invest in a full-fledged GDPR compliant data strategy.

Instead of waiting to be fined, be proactive and take charge of your data. Companies like Facebook and Amazon are titans that can survive many fines and charges, but if you’re a mid-level business, you cannot afford a million dollar fine just because you have duplicate data in your database. To prevent is much cheaper than to cure!