It’s important to discuss some of the principles of the GDPR regulation that will drive major changes in the IT systems. Namely – Purpose Limitation, Data Minimisation, Accuracy, Retention and Security. Looking at the telco sector in particular, these are the areas that are going to soak up the money. They drive significant changes across the board. Let’s explore the practicalities of each with some examples.
When a CRM agent logs on in the morning, there is little or no restriction on what accounts they look at. They may be doing it to follow up on a support case or any other legitimate purpose, but it is hard to prove that in today’s environment. Real Time Analysis across systems can start to govern this for us, e.g. when a customer agent enters an MSISDN into the search field, the system performs a check. Is there an open ticket with that customer or an ongoing call through to the call centre? If not, the purpose is not obvious and a robust way of controlling that would be to perform ‘just in time’ authorisation through a supervisor for that request.
When a marketing team are designing new campaigns, historically they would have performed their analysis by delving into personal data to identify user behaviour and map out any gaps in the portfolio in terms of upsell or cross sell. The data is there because it’s required for some other legal purpose but that does not mean it can be used for whatever marketing want. At best, this kind of processing would rely on legitimate interest, but in all likelihood, it would rely on consent. Regardless of which one of those they rely on, the system must be capable of checking if consent is in place, or if an objection has been registered, before that data is made available for that purpose. Companies don’t own that data any more, the data subject does, and they need a legal basis to process it.
Telcos generate mountains of data that is tied to MSISDNs, Account Numbers, IMSIs, Names and Addresses and by that direct or indirect relationship, however insignificant the data may seem, it is personal data and must be treated as such. The fact is that if this data is not required for any use case, it should be removed. This can come in many forms. Minimisation can be achieved by simply filtering the data. Fields x, y and z are not required so they are removed. In other cases, it should be achieved by aggregating the data. I have records of all traffic generated by the subscriber, but in fact all I need to know is the total traffic per hour for billing and campaigning purposes. As such, I aggregate the data up per hour and remove the granular records. I have a date of birth on the CRM system for account verification purposes at the various points of contact. However, if I want to use that for market segmentation, then maybe I only need the year, or the age range, not the actual date of birth and as such, only that should be sent to the campaign management system.
Accuracy in Telco is not going to have the same impact on a data subject as in other verticals such as insurance, finance or health. However, it is important that where data is inaccurate, there are simple ways for a subscriber to update it. It should be clear where information was sourced from, and whether it should be updated on a regular basis.
With the scale of data generated in Telco, it makes business sense to manage data retention wisely regardless of privacy regulation. However, this are will drive significant IT costs where data lifecycle management will have to be much more sophisticated than it is today. Gone are the days of a common data retention period. Personal data will have to be mapped to a purpose and once that purpose is fulfilled, it should be removed, failing the existence of another legal basis. One approach to this involves adoption of encryption of the personal identifiers in the data, making it easy to anonymize when the purpose is fulfilled. The encryption key is removed, but anonymous data remains where valuable for analytics and training machine learning models.
Data security is going to require a reboot. Vendors are going to be put under a lot more pressure to ensure their products have the right capabilities in place, as well as a process of performing vulnerability tests on an ongoing basis. There has to be a major review of processes to ensure the security of personal data, but the IT changes will have an impact also on downstream systems. One approach is to adopt format preserving encryption to minimise that impact. This will help avoid situations where encrypted values fail validation downstream or simply don’t fit in the column defined for that value in a database.
One of the areas I feel is really low hanging fruit for businesses to start this journey is the topic of accountability.
When I speak to people about the regulation and we start to explore what data is there and why, how it is processed and how long it is retained, in many cases, there are good answers. What is missing is simply capturing this and making it known. Documenting processes, educating employees, informing users, updating privacy notices are all relatively easy and go a long way towards proving accountability.