Back in 2017, we published an Insight highlighting the connections between master data management (MDM) and preparation for GDPR, which at the time was awaiting enforcement. MDM requires identifying customer data, determining who has access to it, and creating a governance program for it — all important tasks in preparing to accommodate the consumer privacy rights that GDPR grants.
Now that GDPR is in force and similar laws, such as the California Consumer Privacy Act (CCPA), are being written and passed around the world, businesses must take a more holistic view of data privacy. It’s no longer about complying with one or two pieces of legislation. It’s about laying a foundation of privacy practices that can help you comply with laws that apply to you today and be ready for future regulations — not to mention meeting your customers’ expectations regarding how you handle their data. Here again, MDM is key.
Data privacy laws: Common threads and key differences
When GDPR was first introduced, many analysts recognized it as a “gold standard” to which legislators around the world would look as they planned their own data privacy initiatives. Enough similarities have appeared in CCPA and other laws to indicate that this is the case, at least partially. CCPA, for example, also confers on data subjects the right to access their records, the right to erasure, and the right to know how their data is being used.
On the other hand, no two data privacy laws are identical, and compliance with one does not guarantee compliance with another. To prepare for current laws and be ready for future legislation, organizations can create a foundation that lets them address the common threads in data privacy legislation while being flexible enough to adapt to future requirements. That’s where MDM comes in.
How to architect MDM for data privacy
If you’ve attended our webinars on data privacy, you may recognize this slide, which represents a very simplified diagram of the systems found in many organizations:
If your architecture looks even remotely similar to this, it doesn’t matter if you’re trying to comply with GDPR, CCPA, or any number of present or future data privacy regulations — you may not get far, because it is difficult to get a clear picture of what personal data you have, let alone who has access to it and what you do with it.
While MDM won’t make you compliant on its own, creating a single source of truth lays an effective foundation for your readiness efforts. For example, once you have all your customer data consolidated into clean, updated master records, you can more easily accommodate a data subject’s right to access or right to erasure within a reasonable time frame.
Where to go from here
Some organizations saw the enforcement of GDPR as a finish line, when it’s really the beginning of a new era. Consumers around the world, including here in the United States, are demanding similar rights and similar protections for their own personal data, and legislators are responding. If your organization has customers, employees, or partners in multiple states or multiple countries, the prospect of having to comply with dozens of data privacy regulations can seem overwhelming. Fortunately, an effective MDM strategy can provide the groundwork from which you can build a readiness plan for almost any data privacy requirements, present or future.
Like what you see?
General Manager of Data Privacy Jill Reber is a nationally recognized expert on data privacy — particularly GDPR, CCPA, and other data protection laws — and has spoken on the topic at conferences sponsored by American Banker, International In-House Counsel Journal, Information Management, the American Bar Association, and other national and international organizations.
Executive Team member Kevin Moos is recognized for his experience with knowledge management systems. He has lent his expertise to several prestigious industry panels on enterprise content management and other topics.