How can you delete what you don't know you have?
The latest amendments to the draft EU Data Protection Act reinforce the 'right to erasure' and propose fines of up to €100m if data is abused. Under the proposed regulation, customers of any company operating within the European Union will have the right to request that their personal data be erased. And if an individual does ask a firm to erase their data, that firm would also be legally obliged to forward the request to other companies or organisations where that data had been replicated.
Once ratified and passed into law this will be a tremendous advantage for customers and give peace-of-mind for those concerned about data privacy. But for businesses that fall under this Act it could be a potential nightmare, simply because they can't say for certain what information needs to be deleted if they do get such a request.
Within any organisation, customer information can exist across a range of functions and their associated systems. This includes customer relationship management (CRM), accounting, help desk, marketing, order systems and many others. And this is further compounded if that information has been shared with other businesses, whether that's a marketing partner, a logistics firm (for deliveries) or anyone else.
In order to successfully comply, companies need a clear view of where all that data resides and how it is interconnected. Only by unifying fragmented data from across the business can the organisation be sure that it is complying with regulation.
Furthermore, excising customer data can also play havoc with other aspects of the business. For instance, if customer information is removed, should their order history be removed as well? If so, how does this impact the account and stock level systems? Customer information is intrinsically linked with most other parts of the business, and removing such a vital element needs to be considered carefully in terms of data quality.
Similarly, This regulation has the potential to impact data analysis, forecasting and decision-making as it removes a key piece of data for many kinds of analysis.
At first glance, the 'right to erasure' may seem relatively trivial, but it quickly becomes clear that robust data information management processes are needed. Without them, not only can businesses not be sure they actually remove all traces of customer information as required, but that data integrity and quality is maintained and that analysis and reporting is accurate.
This is not an insurmountable challenge, but it is one that requires careful consideration now, rather than once the Act is in place and businesses are scrambling to comply.