Why Should Your CLO and DPO be Interested in a Usage Data Platform?
What happens when you collect usage data and it is tagged to specific individuals and personal details?
How do you separate what is needed for modeling reasons and to keep the services running, whilst remaining compliant and not breaking any GDPR Rules and passing an audit or Data Protection Data Impact Assesment with flying colors?
Doing this without a proper system to handle millions, or even billions of events would be a daunting task for any enterprise separating private data from rateable events manually will create data lakes which will raise the exposure and risk to fail a Data Impact Assessment.
With a Usage Data Platform, you will be able to collect the data from a myriad of network elements, sensors, routers, servers, you name it and correlate, aggregate and dissect, split, burst, change analyze, and feed in a suitable format to other systems left or right on the value chain regardless of the complexity and make the relevant separations of what you are allowed to keep and what you are not.
On-line sales are actually very complex transactions due to the many steps and parties involved, its or paramount importance that data flows in a multidirectional mode.
The online travel industry sector that has the most complex payments, which pivots off the card payment model as it’s apart of it.
Booking a ticket and getting payment may take up to 20 different middlemen, all it takes is a weak link on that chain to break the trust and place all at risk see below:
- shopper<>online travel site<>global destination service<>airline
- Is the ticket is there, check for funds
- shopper<>online travel site<>global destination service<>card processor<>merchant acquirer<>bank processor<>Visa/MC/AMX/DSC networks<>issuing card bank
- Funds are there, book ticket and collect money
- shopper<>online travel site<>global destination service<>airline<>book ticket
- issuing card bank<>airline reconciliation agency<>Visa/MC/AMX/DSC networks<>merchant acquirer<>online travel site<>shopper confirmation
The risks of failing an assessment or audit, are severe and per occurrence at 4% of a companies annual turnover, it will make the hairs stand up in any CEO's back.
Companies failing on this are creating horrible monsters by not paying attention and or ignoring the warning signs.
Privacy and compliance should be by design and imprinted on the DNA of any business process that touches on personal data, it is that critical! Companies can be brought down to their knees by failing to comply.
The impacts of GDPR on the accumulation and manipulation of large and diverse sets is yet to be tested in the courts. The roles that all parties have in developing new and sophisticated data management solutions are stated as being shared, regardless of what position in the chain a company occupies. The data controller, processor, sub-processor or joint controller.
It is of paramount importance for companies to automate the Usage Data Processes and commerce, but from the GDPR angle, Privacy by Design is the Reason Why CLO's and DPO's should rally behind a Usage Data Platform!
There are companies like Sytorus working with organizations in over 45 countries to assist companies with their compliance requirements. They bring the best practice layer to the table that assures that the Business manages its exposure to GDPR related risk in a manner that is cost effective and competitive advantage.
They work daily with seven principles that apply to a Usage Data Platform and provide a template for the proper handling of data to ensure compliance.
Principle 1, Transparency: is the manner in which the data is captured clearly documented and has consent or the legal basis in all cases been appropriately captured, documented and kept up to date.
Principle 2, Specific Purpose: are the specific purposes for the use of data agreed, recorded and do the processing activities follow these? The golden rule here which in my experience affects digitalization projects is that data is often captured and the purpose defined after the fact. This is an immediate change in the way we must think.
Principle 3, Data minimization: contrary to the instincts we all have in business to gather as much as we can and keep it as long as we can, we simply can’t build systems that do that unless principles 1 and 2 are fulfilled.
Principle 4, Data quality: how we ensure that the data is kept up to date. What processes and methodologies and policies do we have to ensure that we are not working with old data across all sources?
Principle 5, Data Retention: Our role in the capture and manipulation of data doesn’t just end when we stop using it. We have to be very conscious of the removal of this data on time according to our policies across all devices. A data exit strategy is a stage that most companies do not appreciate is part of the puzzle when covering their GDPR responsibilities.
Principle 6, Security: Most companies in IT are good at this. It also involves the physical world and training.
Principle 7, Evidence of compliance: Basically, this is new in the data privacy world. Where before we wrote policies and did training now we have to document the real world scenarios, the risks, associate contracts, policies and training to the exact way that we are making decisions around the capture and use of private data.
In summary, don´t make Data Lakes, don't ignore genuine advice and create Monsters, don't forget that you can achieve Privacy by Design, and Trust the experts on handling usage data, a Usage Data Platform can save you from the abyss!
Reach out for Advice, Thank you for your questions, comments, and shares!
This might also interest you