I recently caught up with Todd Wright, Senior Product Marketing Manager, Data Management at SAS, to discuss GDPR, the first update to the European privacy and protection laws in 23 years. According to Todd, GDPR is being taken very serious by regulators, to the point that they are considering data protection and privacy as a human rights issue. Data on minors, medical records, sexual orientation, race, age, and weight will be some of the top concerns, as they can all be considered areas that could form a bias towards an individual when processing data. Todd leads Global Product Marketing for SAS Data Management solutions. He works closely with the product management and sales organizations to create and promote materials that are relevant and valuable to SAS customers. Todd has 15 years of experience in data management software, including sales and marketing positions at DataFlux and SAS. He is instrumental in developing customer relationships and creating strategic marketing plans that drive awareness, consideration, education and demand for SAS Data Management. He received his business degree in Marketing from Western Michigan University.
Daniel D. Gutierrez – Managing Editor, insideAI News
insideAI News: With the General Data Protection Regulation (GDPR) going into effect soon, companies around the world are honing their data governance game plan to make sure they can comply with the new regulation. What’s the top bit of advice can you offer for achieving compliance?
Todd Wright: Organizations need to develop a culture where data privacy and protection are in the very DNA of the company. The area of the GDPR that is of most concern involves the actions of individuals. For example: a company sales rep is hired by another firm, and upon leaving she downloads all the company’s customer records and brings them to her new job. This type of event will be considered a top violation of the GDPR towards organizations that hold personal data, and yet is one of the hardest to prevent. To prevent these types of violations from rogue employees, it must be crystal clear as part of the company culture (both in written policy and management actions) that such actions are not tolerated (i.e. taking the records, or bringing data records from a previous employer), and proactive measures must be put in place at all levels of the organization to ensure it doesn’t happen.
insideAI News: How serious is GDPR being taken by regulators?
Todd Wright: Very seriously, to the point of considering data privacy and protection a “human right”. Companies really need to consider that it won’t take a major data breach to get the attention of regulators. Simple complaints from residents in the EU will catch the attention of regulators and could warrant an audit of the way the company is processing personal data. Also, companies need to look beyond the potential fines. The real issue is the loss of reputation that could result if the company is found non-compliant with the GDPR. The GDPR is getting plenty of attention, and those organizations that are found to be non-compliant will have the potential of customers and future customers becoming aware of their shortcomings regarding the proper use of their personal data and potentially choosing to take their business elsewhere.
insideAI News: What are the main types of data that are top concerns – those that can be considered areas that could form a bias towards an individual when processing data?
Todd Wright: Yes. the GDPR is very concerned with what is known as algorithmic biases when it comes to the profiling of individuals, which in turn allows companies make decisions on how they do business with these individuals. But of higher concern (perhaps the biggest concern of the GDPR), is the processing of data on minors. Not only is consent a major concern but so is the right to be forgotten. There have been many stories over the years of minors doing unfortunate things online that will impact them for years. The GDPR wants to offer a buffer where these actions they take as minors are deleted so that they are not punished once they are ready to apply to college or during the screening process when starting their careers. In a sense, GDPR offers a “get out of jail free card” where minors/young adults have the right to start fresh.
insideAI News: I understand that SAS conducted a global GDPR survey last fall. Can you share some of the important results for us?
Todd Wright: The big take away was that we learned that many organizations are now beyond the education and information gathering stage (what is the GDRP, does it apply to us?) and are now actively working towards what they need to do, but less than half (45 percent) of organizations we surveyed have a structured plan in place for compliance.
The respondents also reported that the largest challenge of the GDPR was ‘How to know if the actions we take to comply with GDPR are sufficient’. This really shows the complexity of the GDPR and the fact that the work of complying with the GDPR can’t end on May 25, 2018. Companies will always need to evaluate, adjust, and improve their processes (both in technology and staff) to make sure the GDPR is being met. But on the positive side, 71 percent of our respondents said that they believe their data governance will improve as a result of GDPR.
SAS just launched a new GDPR survey trying to see if businesses are closer to readiness as we near the GDPR deadline. Participate in the survey HERE.
Sign up for the free insideAI News newsletter.