Is Master Data Management your solution to GDPR? – a reply

Is MDM your solution to GDPR? – a reply

Authors: Nick Wood - Bob Nieme

26/07/17

Our Datastreams.io management team read with interest a recent blog post by Simon Walker, Principle Research Analyst at Gartner, who posed the question Is MDM your solution to GDPR.? On the whole we agreed with what he wrote, but wanted to elaborate more around the points he concluded on because they are very important, well made and have a direct bearing on our business model.

Simon used this Gartner definition of Master Data Management (MDM)

“Master data is the consistent and uniform set of identifiers and extended attributes that describes the core entities of an enterprise, such as existing customers, prospective customers, citizens, suppliers, employees and patients. Master data packaged solutions help ensure the uniformity, accuracy, stewardship, semantic consistency and accountability of an enterprise’s official, shared master data assets.”

Personal data protection is central to what the EU General Data Protection Regulation (GDPR) is all about when it becomes law across all EU member states in May 2018. Organisations processing personal data therefore need to ask themselves this key question when thinking about the extent of the capabilities of their MDM solution, “are You Able To Meet These Data Subject Rights Under The GDPR?”

This is because the following rights of data subjects need to be communicated (in addition to other information, such as e.g. the identity and contact details of the controller, the purposes of the processing, the period for which the personal data are stored, the existence (if applicable) of automated decision-making, etc.) at the time of collecting the personal data:

·      Right of Access. Individuals have the right to obtain from you confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to that personal data.

·      Right to Rectification. Individuals have the right to obtain from you the rectification of inaccurate personal data and the right to provide additional personal data to complete any incomplete personal data.

·      Right to Erasure (“Right to be Forgotten”). In certain cases, individuals have the right to obtain from you the erasure of their personal data.

·      Right to Restriction of Processing. Individuals have the right to obtain from you restriction of processing, applicable for a certain period and/or for certain situations.

·      Right to Data Portability. Individuals have the right to receive from you in a structured format their personal data and they have the right to (let) transmit such personal data to another controller.

·      Right to Object. In certain cases, individuals have the right to object to processing of their personal data, including with regards to profiling. They have the right to object at further processing of their personal data in so far as they have been collected for direct marketing purposes.

·      Right to be Not Subject to Automated Individual Decision-Making. Individuals have the right to not be subject to a decision based solely on automated processing.

·      Right to Filing Complaints. Individuals have the right to file complaints about your processing of their personal data with the relevant data protection authorities.

·      Right to Compensation of Damages. In case you breach applicable legislation on processing of (their) personal data, individuals have the right to claim damages from you for any damages such breach may have caused with them.

Simon made the key point that “the challenge to MDM being an answer to compliance with the GDPR is that personal data includes non-master data. Such data has limited reuse, or is specific to one single application only. Therefore, this data falls outside of the jurisdiction of MDM.” We agree with that and there is a need for solutions which integrate with MDM in such a way as to only send the right information, to the right place, in the right format at the right time. 

Solutions are needed which are able to create “Data Driven Logistics”. Digitalisation further increases the pressure on data privacy and has a continuously changing impact on the way you contribute to the success of your clients and customers.  A deeper understanding and knowledge of your customer presents new opportunities, but simultaneously highlights the need to control and protect customer data.  Today, the demand to govern our digital world, by collecting, processing and distributing data in a compliant way, results in data management becoming more challenging than ever before. 

Is your appointed Data Protections Officer (DPO) able to control and approve the streaming and therefore use of GDPR compliant to your MDM? If the answer is “no” then this could lead to the rights of a data subject being infringed and thereafter to a data breach and potential very hefty fines under GDPR as a consequence. 

We also fully agree with his conclusion that whilst MDM is critical to a GDPR related privacy mandate, it is only one constituent part of privacy and data. There are many obligations and requirements for data processors and data controllers under GDPR. Not least of these is the way that consent is managed and governed.

Data processing via MDM will be directly impacted by GDPR related consent requirements to protect a data subjects’ rights. Note that this applies to adults and very importantly to children under GDPR. Don’t assume you have consent across all channels and make sure you can prove who provided that consent and when.   

It has been noted elsewhere by Phillip Howard of Bloor that “you need to check whether you have consent before you process any individual’s data for any relevant purpose.” Absolutely! If an existing MDM is unable to cope with consent management via for example adding columns to their database, or providing a consent management feature, then 3rd party solutions are very likely to be sought. These solutions will then be able to stream GDPR consent compliant data to the MDM, under the control once again of a DPO.

Phillip extends this point further by saying that “most companies processing personal data will be doing this using master data management, customer engagement solutions, business intelligence, data integration, data quality, data preparation, analytics and archiving tools that are provided by suppliers from within the IT community. It would be reasonable to expect vendors of products such as these to build in the ability to recognise consent data and process (or not) records accordingly. The original company would still need to modify their database tables but at least would not have to worry about their applications. 

We totally agree with the need for such 3rd party solutions to help with the MDM GDPR consent challenge. These challenges extend from capturing consent, to managing this and governing it; not least when consent is withdrawn. As Phillip states later, “master data management and 360º views will be important in supporting the rights of consumers in correcting or deleting relevant data.” 

It is unlikely today that an organisation has one solution which meets all the challenges raised here. What organisations are seeking are solutions which can work together, to collaborate in such a way as to help them meet their GDPR requirements. This applies to data controllers and data processors. MDM is part of that solution but as Simon, others and ourselves recognise, it is only one part. We believe that by empowering data driven collaboration we support the development of a secure and transparent digital environment for everyone. This is one In which users will only enjoy trusted experiences and organisations can fully rely on relevant, compliant data.

Bob Nieme & Nick Wood - Datastreams I/O