GDPR and Data Quality - A Service Objects webinar

Data Quality Solutions
GDPR and DATA QUALITY
A Service Objects’ Webinar
January 24th, 2018

Service Objects is pleased to host this interactive webinar:
GDPR and Data Quality
Featuring industry experts:
Thomas C. Redman, Ph. D. “the Data Doc,”
and
Daragh O’Brien - Castlebridge Associates
Moderated by:
Rob Manser – Service Objects

Thomas C. Redman, “the Data Doc”
• Ph.D., Statistics, Florida State, 1980.
• Conceived and led the Data Quality Lab at AT&T Bell Labs.
• Formed Navesink Consulting Group in 1996.
• Help dozens of companies think through, define, and advance their data and data quality
programs.
• Most important publications:
• Getting in Front on Data: Who Does What, Technics, 2016.
• “Data’s Credibility Problem,” Harvard Business Review, 2013.
• Data Driven: Profiting from Your Most Important Business Asset, Harvard Business
School Press, 2008.
• Known bias: “Data are quite obviously the key asset of the Information Age. Yet today’s
organizations are singularly ill-designed for data. This leads me to conclude that organizing for
data is THE management challenge of the 21st century.”

• Daragh O Brien is the founder and CEO of Castlebridge, an information strategy,
governance, and privacy consultancy based in Ireland.
• He works with clients in Ireland, the UK, and internationally on issues of information
privacy and governance. Clients include utility companies, government departments, start-
ups, and not-for-profit organisations.
• Daragh is Course Consultant to the Law Society of Ireland, advising on syllabus definition
for Data Governance and Data Privacy.
• He is a popular and entertaining conference speaker and is a regular presenter at events in
the United States and Europe.
• Daragh’s primary degree is in Business and Law, but he spent a decade and a half in
Information strategy, Information quality, and Regulatory roles in the telecommunications
sector before founding Castlebridge.
• He is Data Privacy Officer for DAMA International and is a Fellow of the Irish Computer
Society.
Daragh O’Brien

Regulators are people (and customers) too!
©DQS, 2000-2018

GDPR Summarized
Consistency Mechanism
Core Principles
Increased
Penalties
Risk based approach to
Data Protection
Explicit
Focus on
Governance
Principles
Driven
Principles
Driven
Stricter Consent
(where consent
only basis)
Enhanced Rights:
Data Portability;
RTBF;
Risk & Penalty
Mitigation
Documentation
Data Protection
Officer
Evidence of
Effectiveness
Risk & Penalty
Mitigation
Enforcement
against Data
Processors
Extra
territoriality
Fines as % of
Global
Turnover
Mitigating
Factors
1. Lawfulness, fairness, transparency
2. Purpose Limitation
3. Data Minimization
4. Accuracy
5. Storage Limitation
6. Integrity & Confidentiality
7. Accountability
+ Article 1, 7, and 8
Charter of Fundamental Rights
Privacy by
Design/Default
©2018 Castlebridge

The e-Privacy Regulation
• As drafted, will apply GDPR-style penalties to wider communications data, not just personal data
• Applies to telecoms firms but also to “over the top” messaging applications like an IM client
• Applies to metadata, location data, and device identifier data
• Applies to “cookies” – data written to or read from your devices
• Applies to advertising tracking
• Protects information that might derived from devices connected to communications networks,
including Device Fingerprinting
• (oh… and marketing by electronic means (phone, email, SMS, Instant Messengers etc.)
©2018 Castlebridge

Who is the Regulator?
European Data
Protection Board
National Regulators
Provincial Regulators
(Where they exist)
Statutory Supervisory
Authorities
Courts (Litigation)
Court of Justice of EU
Member State
Supreme Courts
Member State Lower
Courts
©2018 Castlebridge

European Data
Protection Board
National Regulators
(Where they exist)
Authorities
Gaston, living in France, buys socks online from
a company in Cork, Ireland
Irish Sock Company uses data in a way not disclosed
to Gaston, and without a legal basis
©2018 Castlebridge

European Data
Protection Board
National Regulators
(Where they exist)
Authorities
Gaston, living in France, buys socks online from a
company in Cork, Ireland
Irish Sock Company uses data in a way not disclosed to
Tim and without a legal basis
Gaston complains to FRENCH Regulator in first instance,
who will refer the case to Irish Regulator
Irish Regulator investigates as “Lead Authority” and
sanctions Sock Company. If French Regulator disagrees
with outcome, EDPB can over-rule
©2018 Castlebridge

Gaston, living in France, buys socks online from a
company in San Diego that is selling to Europe
Sock-R-Us San Diego must comply with GDPR.
Cross border transfer of data requires Privacy Shield.
European Regulators can enforce in collaboration with FTC
In this case..
• Irish Data Protection Commissioner
• California State Attorney General
• FTC
©2018 Castlebridge

Joy in San Diego is buying socks from a company in Co.
Cork Ireland
The Irish Company falls under the remit of the Irish Data
Protection Commissioner and EU law applies.
In this case..
• Irish Data Protection Commissioner
©2018 Castlebridge

Guitar-Stuff-Here misuses Brendan’s data and there is a
data breach
In this case..
• FTC – US law applies, not EU
Brendan is an Irish citizen living in Orlando. He buys a
guitar from a company in San Diego
©2018 Castlebridge

28 Member State National Regulators (27 after UK leaves)
Co-ordinated through a Consistency and Cooperation mechanism
Key point: Regulators are legally independent of Member State Governments, similar to judiciary
Enforcing against companies outside EU?
If company has subsidiaries in EU, they will be
enforced against (e.g. Facebook Ireland)
“Nominated Representative” can be enforced
against
International law allows for law enforcement co-operation.
EU Regulators have history of co-ordinating with FTC and
other Regulators
©2018 Castlebridge

Who is the Customer?
“Living Individuals”
©2018 Castlebridge

The Global Legislative Trend
Source: Greenleaf: Global Data Privacy Laws 2015
“Data privacy laws are clearly no longer ‘a European thing,’ though the
influence of ‘European standards’ remains paramount”
- Graham Greenleaf, Global Data Privacy Laws (2015)
“Increasingly, the position is that the USA is the only significant outrider
attempting to defend providing data privacy protection by a patchwork of
sectoral laws (with significant limits to their principles arising from
circumstances which may be unique to the USA) and no national DPA as a
key means of enforcement.”
- Graham Greenleaf, The influence of European data privacy standards outside Europe: Implications
for globalisation of Convention 108? (2012)
62.56%
37.44%
Countries with a National Law
Countries without a National law
“There are strong indications that ‘European’ or ‘2nd generation’ data
privacy standards are continuing to be adopted outside Europe to such a
substantial extent that the ‘global standard’ is at present at least mid-way
between the ‘1st generation’/’OECD’ standards and the ‘2nd
generation’/’European’ standards.”
- Graham Greenleaf, ‘European’ Data Privacy standards implemented in laws outside
Europe, (2017)
©2018 Castlebridge

The Old Paradigm is No longer Valid

DQ 101: What Makes Data of High Quality
Data are of high quality if they are fit for their intended uses (by customers) in
operations, decision-making, analytics, and planning (after Juran).
free of defects:
- accessible
- accurate
- up-to-date
- kept secure
- etc.
possess desired features:
- relevant
- comprehensive
- proper level of detail
- easy-to-interpret
- etc.
Data that’s fit for use
Customers are the ultimate arbiters of quality!!
Largely, “the right data”
Mostly, “are the data right?”
©DQS, 2000-2018

DQ 101: A Database is Like a Lake
Unmanaged
“Management” drives data quality improvement, largely by adopting an approach of
eliminating root causes of error!
©DQS, 2000-2018

DQ 101: Doing the Work. The Process Management Cycle
1. Establish
management
responsibilities
2. Understand
customer needs
3. Describe
process
4. Establish
measurement
system
5. Establish
control
& check
conformance to
requirements7. Make
improvements &
sustain gains
The process management cycle provides a
powerful, repeatable means to bring the tasks
(or habits) of data quality management to bear
6. Identify & select
improvement
opportunities
©DQS, 2000-2018

Data Quality 201
“Know Your Business”
● GDPR highlights the utility of a great “conceptual person/client/party model.”
All who create or use “people data” must contribute.
● Teamwork between data protection and quality officers.
©DQS, 2000-2018

Questions?

Thanks to our contributors
Tom Redman Rob Manser
Service Objects
marketing@serviceobjects.com
@serviceobjects
Service Objects
Castlebridge Associates
daragh@castlebridge.ie
@cbridge_chief
Daragh O’Brien
Daragh O’Brien
info@dataqualitysolutons.com
@thedatadoc1
Tom Redman
Check out Daragh’s
new book
Pre-order Now!
(May 3rd release.)
Don’t miss Tom’s
latest book.
Available on
Amazon.
Download our
FREE GDPR
Whitepaper.
Available here.

Find out How Service Objects’ Data Quality
Solutions Can Help you with GDPR:
Since 2001, Service Objects has focused exclusively on global contact
and customer data verification. Please take a moment to learn more
about our data quality services and how they help support your GDPR
compliance efforts:
• Lead Validation International
• Address Validation International
• Email Validation
• Phone Exchange
• IP Validation

GDPR and Data Quality - A Service Objects webinar

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to GDPR and Data Quality - A Service Objects webinar

Similar to GDPR and Data Quality - A Service Objects webinar (20)

Recently uploaded

Recently uploaded (20)

GDPR and Data Quality - A Service Objects webinar