A lot of ink has been expended already discussing the challenge of the EU’s General Data Protection Regulation (GDPR) for European businesses. E-retailers and payment platforms are likely to be at the sharp end, given their reams of data, their prodigious digital marketing output (particularly in the case of ecommerce) and their large volume of customers.
Make no mistake, getting ready for GDPR is a serious business and worthy of every businesses’ attention. But we believe that one crucial component of GDPR compliance is still being overlooked – the ability to locate the data being requested. Or, as we term it, the missing link in GDPR readiness, “single subject search”. This key ability is the essence of smart data search, and yet many companies have no coherent system in place and are underestimating the scale of the challenge they are facing simply to locate all of a data subject’s information within GDPR’s 30-day obligation.
Another way of looking at this issue is to imagine that your business is a library. A person walks into a library, simply knowing that you need the book entitled McKinley. But in this library, there is no central index, no card catalogue. The library spans three floors, with ten aisles on each floor. To find this one book you’re looking for, you must search across the entire library, something that could take days! This scenario is similar to that which many companies will experience when GDPR comes into effect. They will receive a request from a data subject (e.g., an EU resident) and potentially struggle to search all data floors of their library within the allotted timeframe.
To be GDPR compliant, millions of businesses, lacking central indices, will have to individually search system-after-system, of often messy data, to locate records about data subjects. Manually searching for data is not only a hard and lengthy process, it is fraught with mistakes and threatens your compliance capability. The risk exposure companies will face from this great data search challenge is the reason why we undertook a major study - Finding the Missing Link in GDPR Compliance - to look into this issue in greater depth. Based on the key findings from views of over 1,000 businesses we quizzed, our overarching conclusion is that “single subject search” is the missing link in GDPR compliance. Many companies are not GDPR ready as a result.
According to our research, on average, a company will get 89 GDPR enquiries per month, for which they will search 23 different databases, each taking about 5 minutes. For large companies, the number rises to 43 databases. This figure increases to more than 200 for big, data-heavy companies! The total time spent by companies to find data for GDPR enquiries per month was estimated to be more than 172 hours each on average. The issue is even more pronounced for the largest companies. Those with more than 250 employees expect to get an average of 246 enquiries per month. The total time they will spend finding data per month is estimated to be more than 1,259 hours, something which has huge resource and cost implications.
Based on my involvement in over 100 IT implementations over the years, I think these estimates, although already huge, are conservative. For organisations without the ability to conduct a single subject search, the amount of time they will spend searching for data will be significantly higher.
It is common for companies to have many databases, some of which they may not even be aware of. But a manual search won’t capture these data “black swans”. For example, a customer may also have records in a non-customer database e.g., perhaps in a human resources database if they would once applied for a job. Beyond searching every database, all potential name variations should be checked (e.g., Bob, Robert). That is why having a smart, index-based automated search function is critical.
Organisations that use central indices for “single subject search” will more likely be GDPR ready. Indeed, we believe the issue of single subject search is the missing link in GDPR compliance. Without it, many companies are set to fall short.
As the GDPR deadline looms, there is an alarming sense of confusion and lack of confidence about data search which could result in large fines and reputational damage. A huge number of companies simply don’t understand the dangers. Many companies polled stated there would be no, or limited, impact both from a financial penalty and brand reputation perspective.The task of simply searching all databases is gigantic. It is even more difficult for the many companies that do not know where relevant data is kept and are unaware of all pertinent databases. More than 1 in 10 (12%) of businesses say they are not confident that they know where all their data is stored. Less than half (47%) are “very confident” that they know where all their customer data is housed.
These findings demonstrate the size of the GDPR compliance challenge. Payments and retailers will have a mountain of data to trawl through – costing time and money along with carrying the risk of getting it horribly wrong. This issue is size agnostic. Whilst this time requirement is greater for large companies, they have greater resources. Relative to size, SMEs face an equally massive task. The smaller the business, the less time they can devote to this. In both cases, single subject search is a huge labour-saving device.
A significant proportion of organisations realise they have a problem on their hands. That is why 44% of the UK, French, Spanish, German and Italian countries we spoke to are concerned about their ability to comply with GDPR. Based on our research, we believe that 60% of all companies operating in the EU are not ready to deal with the challenges of GDPR.
Without single subject search - the critical enabler of GDPR readiness - many payment companies and e-retailers, along with all other sectors, will really struggle to be compliant. They will face potentially colossal fines and brand damage as a consequence.
About Jeff Jonas
Jeff Jonas is an acclaimed data scientist; former IBM fellow, he is the creator of entity resolution systems. National Geographic recognized him as the Wizard of Big Data, and today numerous organizations rely on his systems to extract useful intelligence from tsunamis of data. For more than three decades, Jonas has focused on creating technologies that solve the world’s biggest data challenges, while also being an advocate for privacy and civil liberties.
About Senzing
Senzing, a California-based software technology company founded by Jeff Jonas, is the first company to apply real-time machine learning to entity resolution – finding out who is who in your data. Senzing’s team has a long track record in solving complex entity resolution challenges, delivering the code behind some of the largest real-time, entity resolution systems in the world. The company’s G2 for GDPR entity resolution software is the most affordable and accessible solution for organisations to get their data ready for GDPR.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now