Master Data Management: Answer to GDPR?
Master Data Management: Answer to GDPR?
The EU's GDPR legislation comes into effect soon, and it could mean some significant changes in the way data is handled. Could MDM be a big piece of that puzzle?
Join the DZone community and get the full member experience.Join For Free
In this article, I want to look at this still poorly understood field in data management, and discuss how we can consider it as a fundamental step towards compliance with the EU’s upcoming General Data Protection Regulation (GDPR).
Here at Grakn Labs, we have worked with a number of companies in different industries, including financial services (banks, hedge funds, etc), to deliver these types of solutions, where we are asked, amongst other things, to help enterprises represent their master data into a Grakn knowledge base. In this article, I want to share some of the lessons we have learned along the way.
Master Data Management
Before delving into this workflow, it is worth defining exactly what we mean by MDM and GDPR.
MDM is a set of technology-enabled processes and techniques that enable an organization to connect its most important data into one file, which then serves as the one point of reference for that organization. It ensures that every single IT system, platform, and architecture across the organization uses data in the same way. Five components in MDM can be identified:
- Change Management
Content defines all the different types of entities within an organization (e.g. item names, customers, and suppliers), while relationships define their groupings, hierarchies, and business rules — i.e. an organization’s data standards.
Access relates to the policies an organization has on who can access and edit which data sets. Change Management deals with the management and monitoring of changes in data, and how this is then communicated across the organization.
Finally, Processing defines the rules around matching and identification of data. This is to understand, for example, when two similar looking customer entries are found in two different systems if these actually relate to the same customer or not. It also includes the policies on how changes to the master data file are communicated to the systems of origin.
MDM is still in its infancy, although maturing rapidly. Many challenges, therefore, exist. Commonly, they include data complexity — just representing all master data’s entities and their relationships/hierarchies can be a daunting task. What is more, master data can sit in different and overlapping data silos. Identifying these, and agreeing to common domain values across systems, can be difficult. Further, we see that often many executives do not know where to start to engage in a potential MDM solution.
With this brief understanding of MDM, I would like now to touch on GDPR and discuss how MDM can be a solution to this looming regulatory behemoth.
GDPR and MDM Solutions
The General Data Protection Regulation (GDPR) is an EU-wide regulation coming into force on 25 May 2018 designed to harmonize data privacy laws and protect EU citizens’ data privacy. It states that any company, regardless of where in the world it is based, that manages or stores EU citizens’ personal data needs to know exactly what data of an individual is stored and used, and needs to obtain the individual’s explicit consent to do so.
The fines set by the European Commission for non-compliance are staggering — up to 4% of worldwide turnover or €20 million, whichever is higher. There is also a personal fine applicable to the data controller in charge of up to €500,000. It is, therefore, surprising so few enterprises have begun to implement these new guidelines. Partly this reflects the far-reaching requirements of the directive, as executives find it difficult taking the first step to compliance.
As such, some have raised MDM as an answer to GDPR. This is because, as GDPR forces companies to have a reliable and correct overview of individual customers, MDM offers exactly this overview and can, therefore, serve as the technical basis to GDPR compliance.
For example, data from individuals can be arranged as data identifiers and extended attributes. Here, a key advantage of using MDM for GDPR is that any individual is guaranteed the accuracy of their data. In MDM, this data is maintained centrally, which means that any particular sub-system in a large organization will not be forgotten when data changes. Not only does this simplify data management, but it hugely increases the quality and currentness of data.
That being said, we must not forget that GDPR also relates to personal data that is non-master data. This includes data that has limited reuse, or is just specific to a single application and, therefore, falls outside the scope of MDM. Thus, despite the utility of MDM for GDPR, an organization should beware not to include non-master data in MDM just for GDPR’s sake.
How to Get Started
As mentioned above, a common theme among executives that we see is not knowing where to start with an MDM solution. After all, in a large enterprise, beginning to represent and model your master data can become very complex, very fast. An example:
‘When we talk about a customer, do we mean a first name? Last name? Or both?’
More complex issues include cross-departmental definitions of ‘High Net Worth Customers’ and modeling the access authorities to different data sets by various groups in different geographies. Another challenge is how do we ask intelligent questions to this master data while letting the computer figure out how to navigate the complexity in the underlying data structure.
I'd like to talk about one tool that you might find helpful: Grakn. Grakn is a hyper-relational database built to model and represents exactly these types of complex networks. Rooted in Symbolic AI, it provides the knowledge base foundation for intelligent systems, including MDM.
The workflow we recommend can be as follows. To begin, you should task someone/a team from within your organization (or hire an outside consultant) to chart your master data. They will, amongst other things, speak to your relevant data processors/controllers, and map the different permissions/authorities, file structures, data lineages, etc. As this information is gathered, we help your team integrate the content, relationship, access, change management and processes (MDM’s five components) into one consolidated knowledge base. There will usually be several iterations before the entire knowledge base is completed, which may take anywhere between two to six months. This typically includes several in-house workshops to ensure the system is successfully implemented and adopted within your team.
Already early on into this process, while we integrate each database at every iteration, we begin to uncover questions that we are now able to answer, such as:
‘Find me all the owners of a dataset containing personal information of country X.’
‘Find me all the operational datasets that are used in a specific application and jurisdiction.’
‘Find me the owners of all operational datasets in a category for a specific jurisdiction/level.’
The issue we see with many existing infrastructures at enterprises is that answering these types of questions can become problematic. At best, it is a manual process where one has to go to each and every data owner/department to gather the data. At worst, it is just impossible.
However, with the right solution, you can answer these questions in real time. One such solution, Grakn, deals with the data complexity, so that, because of this, you can now gain a higher level of intelligence in delivering a state of the art MDM solution, and consequently comply with GDPR requirements.
MDM is also applicable across the entire compliance and risk function, including the appropriate segregation of duties, and adherence to KYC and AML procedures. What is more, doing so can bring you massive costs savings vs. having to do an isolated solution for each individual function.
One regulation that deserves special attention is MiFID II, which carries fines of up to €50 million. In this particular case, an MDM solution would define the legal hierarchy relationships between the counterparty and legal entity data from both external and internal data providers, ensuring that your corporate risk and compliance teams have access to the most up to date versions of this data. They would then use this to make connections to your securities instruments and manage your various risk levels.
Published at DZone with permission of Tomas Sabat , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.