Handling GDPR with Warehousing and Bots

Have constituents in the EU? Worried about GDPR? Use Warehousing (and bots) to achieve compliance!

Are you a nonprofit operating in the EU? Are you an organization in the United States who has constituents in the EU? Have you been selected as the DPO (Data Protection Officer) at your organization, you’re still not sure what your strategy for respecting the rights and maintaining the privacy of the people whose data you guard?

Well, the General Data Protection Regulation (GDPR) goes into effect May 25th, just over two months from today. On that day, any organization that maintains personal data of people within the EU will be under strict guidelines on the collection, storage, and maintenance of their data.

Given that Frakture is really into Data Warehousing, and that that data is often personal in nature, we and the bots are very eager to ensure our own compliance. Not only that, we are excited at how organizations (our customers and otherwise) working with EU constituents and customers can use Data Warehousing to ensure their own compliance.

As an organization, the key pieces of GDPR that you need to be aware of and comply with (and how Frakture can help) are:

Consent

“Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.”

This is essentially a much stricter version of existing anti-spam legislation. Before now you had “opt out” options for your constituents. If they did not want to receive communication from you, you had to respect their wishes. But, you did not have to remove their data and their ability to finetune what you do with their data was limited. The GDPR guarantees a much more nuanced set of options for your constituents – each channel you use to communicate must be explicitly allowed.

For example, your donor Charles receives email, mail and phone calls from you…

Many of our customers already use data warehousing and our bots to keep track of opt outs across systems – commonly between different channels (i.e., someone opts out of Mobile Commons and we make sure that opt out is processed in Luminate Online). GDPR makes this application of warehousing even more important than before – a standardized look at your data makes it easy to match consent configurations between systems.

Right to Access

“..the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose…”

“..the controller shall provide a copy of the personal data, free of charge, in an electronic format.”

When you warehouse, you collect data from different systems into the same place. Not only do you have the data, you know where it came from. If a constituent wants to know what data you have and where, you could spend quite a bit of time combing your various systems, recording the information that exists among the systems and noting which systems are using it, and then send that information to a constituent. With warehousing, it’s a simple case of looking at your tables, and voila – you have the data in a nice standardized format for them regardless of how many systems you pull from.

Right to be Forgotten

“… the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.”

You might think that warehousing complicates the Right to be Forgotten – and in a way it does. You have one more place to remove a constituent from when they opt out. But removal is a much simpler procedure in a warehouse than in a CRM or other tool. Removing someone from a warehouse is as simple as dropping them from the table.

In fact – warehousing helps ensure that you are forgetting people. A centralized warehouse with a list of IDs of those who have been forgotten (just the ID, no personal information) can be used to ensure that the record has been removed from your other systems and can alert you if someone who has opted out is still present in another system.

Data Portability

“… the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller

As we touched on in the Right to Access, Data Warehouses (well, Frakture’s Data Warehouses – we won’t speak for anyone else) are standardized. This means that the data you store for your constituents is as portable as it gets – it is all in one place, in one shape, and can be looked up very quickly.

Privacy by Design

“The controller shall..implement appropriate technical and organisational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects…”

“…calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing”

When you warehouse, you get to choose the data you store – that’s the one of the best things about warehousing. GDPR comes with the requirement that as little data as possible is kept by systems, and that only those who really need access to the data have it. It’s almost like GDPR was made with warehousing in mind. While Frakture will give you access to your own data warehouse, we make sure to keep that access as restricted as possible.

Beyond being private by design ourselves, we can help you figure out if there is more information in a sub system than you intended. While we can’t see inside the database of your CRM, we can tell you what information is available to us, helping you be sure that you only have the data you think you have, and not the data you know you don’t want.

Breach Notification

Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.

Arguably both the simplest and most crucial to address – Frakture will immediately notify any customers (regardless of EU interaction) in the event of a data breach. We strongly recommend getting such reassurances from all of your service providers (again, even if you have no interaction with the EU).

Conclusion

Given that Organizations use several different systems to manage and communicate with constituents, making sure that that Organization and all of its tools are compliant is a heavy ask. But the ask is similar, in practice, to the other asks that Warehousing answers. Warehousing gives you your data, potentially all of it, and once you have all of your data you can ensure that you’re compliant. Not only that, warehousing coupled with smart automation can help you reach that compliance efficiently.