Interview: How Blockchain Solves Retail GDPR Woes
While the May 25 GDPR deadline has come and gone, many retail organizations are still struggling to develop their compliance systems. By automating processes, tools, and workflows, they can more quickly meet the regulations' requirements—without disrupting business operations.
I recently spoke with Jerrod Bailey, Chief Strategy Officer for IntraEdge, developer of Truyo, an enterprise compliance solution. He talked about how to take a secure, automated path that streamlines the route to compliance.
insight.tech: How are businesses having difficulty complying with GDPR?
Jerrod Bailey: Suddenly, with GDPR, anyone can ask to see all of their personal information held by a company, and then they can ask that this information be updated or deleted.
Companies really aren’t prepared to enable those powers. They don’t have information in one place. They don’t even, in most cases, know all the information they have on an individual.
We know of companies that received 10,000 requests in the first week after the May 25 deadline hit. These companies were prepared for tens, a dozen requests. They weren’t prepared for 10,000.
i.t: How does automation help?
J.B.: The first level of automation is best achieved by centralizing all customer information into a data lake. It doesn’t matter how many systems or how many interaction points you have with your consumers; a data lake is the easiest and most flexible container for any kind of data that you might be collecting. Then, if you layer on some pattern-matching and a portal, you have the start of a platform that can grow and scale with privacy regulations, no matter how they develop.
For example, say you’re shopping at some big retailer—we'll call it “Speaker City.” You buy something, or you interact with them in some way, and they’re collecting data on you.
With our solution, Speaker City can tell you, “Hey, there’s this portal that you can go to and manage your data privacy.” You go to that portal. You create a login. You validate that you are who you say you are, and then you get access to all of your data on the data lake. You just automated half of your workload by eliminating the tedious process of scouring dozens of back-end systems looking for a single person's data, and then extracting and presenting that data to them in an easy way.
i.t: These custom portals that are connected to the data lake—you have a portal for consumers, a portal for businesses, and a portal for auditors?
J.B.: That's correct.
i.t: Why do you have different portals and what are the benefits of having them?
J.B.: We talked about the consumer in the Speaker City example. With Truyo, all the people who need to monitor and respond to access requests, or just need to see what’s happening in terms of those requests, have access to the portal.
Let’s say that there’s somebody responsible for GDPR-related requests that impact the CRM system. That person has access to the portal to see all of the CRM-related requests and if they need to act. Or if mitigation efforts have been automated, that system owner can simply monitor the requests as they flow through the system.
We also give access to auditors. In the GDPR world, every country has its own privacy authority. The likelihood of having to show a third party what you’re doing is fairly high, so we give auditors special, restricted views in order to see request logs but not the specific user data behind them.
i.t: Tell me where blockchain comes into the picture.
J.B.: On the back end, blockchain creates an immutable, auditable ledger of all system activity. It’s not only logging all requests and efforts to fulfill them, but it's also storing hashes of the data to make sure that it hasn’t been compromised or changed. This blockchain ledger creates a forensically valuable history of all activities in a way that stands up to third-party scrutiny.
Blockchain is valuable to the consumer because they can trust a system that can't be changed after the fact. It’s really valuable to administrators because it helps cut down the time of an audit.
It’s valuable to the auditor because it’s a trustworthy system, so the auditor can spend their time auditing the data rather than the process or the system behind it.
i.t: So blockchain increases trust in the eyes of regulatory authorities?
J.B.: That's certainly the intent. As GDPR continues to develop and as our own customers get audited, we’ll have to show to the regulatory authorities how the process works. We anticipate that as we engage with authorities, they’ll be able to look at our system and come to trust the immutability of it.
i.t: How does this improve time to compliance?
J.B.: As you go from the first level of automation (centralizing data) and into the next levels of automating denials and then, back-end data source changes, we can cut out about 95% of the operational overhead of individual rights under the GDPR. That obviously comes with big asterisks, depending on how many requests a company is getting.
But when you add up the software development time, the processing of access requests, and the time that it would take to build reporting, we cut out most of the operational overhead of GDPR for the individual rights piece specifically. Also, our customers can usually be live within a week.
i.t: When you say live in a week, what does that really mean?
J.B.: We can have a portal set up and accessible by data subjects within a week—but not with full automation. It might take a couple of months to connect at least the core systems and build automation. Yes, it will be manual workflows on the back end, but that’s infinitely better than what most companies have now, which is getting unstructured requests, en masse, through email.
We can replace that in a week, get them something that’s compliant and more useful than what they currently have. Then we can take the time to build in the automation over the next couple of months.
i.t: Where does Intel® technology fit into the solution?
J.B.: Good question. There are a couple of places we use Intel® technology. We use the Intel® Software Guard Extensions (SGX) and do some interesting things in blockchain. In addition, there are the Intel edge devices that we use in retail locations.
Intel is a really good partner. They are great at building ecosystems and have the size and the reach to help us as a go-to-market partner.
i.t: How can an organization leverage the data lake to create new value?
J.B.: We chose the data lake route to solve for GDPR because we think it’s the only way to do it without disrupting business operations. But an interesting side effect is that most of our customers find value in the idea of creating a centralized repository of all their customer data. You’d be surprised how few companies have actually done this.
Once you have all of the customer data centralized in a lake, you can do some interesting things. Microsoft's Azure, for example, has business intelligence and data analytics tools that can layer on a data lake.
Now, these companies can predict what people are going to buy. They can identify their best customers. There are all sorts of enterprise value that you can extract from a data lake once it's created.