GDPR is a fundamental shift in personal data ownership—and it's not just Europe. Falling like dominos, the adoption of similar privacy legislation is spreading. A case in point is the recently adopted California Privacy Act. And Canada, Japan, and Australia are implementing comparable legislation or updating their privacy laws to mirror GDPR.
Although companies have had two years to prepare for GDPR, many remained in the dark about the impact of the new rules on their business until those rules took effect on May 25 of this year. Many chose to take a “wait and see” approach. “It hasn't been a reality until now,” explained Jerrod Bailey, chief strategy officer for IntraEdge, maker of GDPR Edge, an enterprise compliance solution.
“We have companies that have come to us since the May 25th deadline and in some cases, they have received 10,000 requests in the first week. These companies were prepared for tens, a dozen requests. They weren’t prepared for 10,000.”
The punitive risks are substantial, with fines up to €20 million or 4 percent of annual global revenue, whichever is higher. Especially in the retail industry, the search is on for a path to meet at least the minimum GDPR regulatory requirements. One that is quick, with minimum disruption, won’t cost an arm and leg, and will deal with future changes in both the regulatory and system environments.
Giving Retailers the Edge on Compliance
In partnership with Intel®, IntraEdge built GDPR Edge—a unique solution designed specifically to address the requirements of the regulation. The system uses highly secure blockchain technology to protect data and enable compliance throughout multiple touchpoints, which can be especially important to retailers.
“One of the major areas where retailers are collecting data is at the point-of-sale,” explained Bailey. “A lot of retailers just don’t have any compliance solutions for point-of-sale. We have the ability to integrate about 98 percent of the point-of-sales systems out there.”
The company was able to help one online-only retailer automate compliance across all its brands in the EU. In eight weeks, the retailer had three primary and independent systems feeding diverse customer information into a single data lake. As consumers interact with the brand online and make purchases, transactions receive a unique tag, so they can be easily found. The process allows the retailer to demonstrate compliance with critical elements of the GDPR, with a minimal burden on operations and at a fraction of the cost of developing a custom solution.
Sometimes the system can be set up even faster. Some deployments have started processing access requests and deploying workflow management and reporting tools in less than a week and at a service cost of under $1,000 a month.
Centralized Data—Automated Process
At the core of the system are four key elements—a data lake, block chain ledger, customized portals, and APIs, as shown in Figure 1.
Data in the lake is protected by a blockchain ledger that maintains a forensically valuable history of all system activity. Data from interactions is transferred to the ledger, where all information is certified as un-tampered, and then to the data lake where all interaction records live. When a consumer request is made, a record is kept of the interaction activity.
The lake plays a key role in compliance because it can be made available to data protection authorities, auditors, and data governance professionals, as well as any other data collector or processor. This results in increased accountability, information transparency, accuracy, efficiency, and ease of audit.
Users of the system can access information in the lake through custom portals. For example, individuals can review their collected personal information, modify it, or request its removal. If individuals make updates to their personal information within the portal, it kicks off a series of automated workflows on the back-end that record those changes and confirms them with the individuals.
Bailey explained: “You go to a portal. You create a login. You validate that you are who you say you are, and then you get access into all of your data in the data lake. That's very unique.”
Portals can be configured so administrators and others with compliance responsibilities can see what they need to see in the lake. For example, the CRM system manager could use a custom portal to monitor GDPR activity related to that system. “Through their portal, they’ll be able to see all the access requests they need to react to or the requests automated at the back end of the system,” Bailey said.
Auditors and regulators, too, can have a portal into the system. “In the EU, every country has their own privacy authority, so the likelihood of having to show a third-party what you’re doing is fairly high,” Bailey noted. The portal, though, can limit what they see to just the ledger.
The APIs also connect to consumer touchpoints and retailer services. Touchpoints include point-of-sale interactions, website traffic, and interaction with mobile applications. Retail services include loyalty and customer management programs.
What’s more, the APIs are a two-way street. Not only can they be used to ingest data, they can be used to alter it, too. “We can anonymize or delete a record without a human being having to get involved,” Bailey said. “It's that automation and centralization, those two components together, that make GDPR Edge very unique.”
Streamlined Solution for Complex Environments
Even though the realities and complexities of GDPR are only now hitting home, there are solutions that help streamline the compliance process.
IntraEdge offers a system geared for highly complex retail environments that have an array of data sources, customer touchpoints, and multiple point-of-sale systems. By leveraging Intel technology, the company has built a unique solution to a multifaceted problem.
“GDPR is a big problem, but privacy is an even bigger one,” Bailey said. “Intel has the kind of size and reach to create the ecosystems we need to make GDPR Edge effective.”
About the AuthorFollow on Twitter More Content by John P. Mello Jr.