How do you think about the impact to a customer on data projects?
I’ve been working on a data programme and one of the things is the different perspective on how you think about the impact to the customer. In front end projects where the customer is interacting with the product directly you might emphasize the importance of things like customer’s access to a system or a customer performing an activity. On data projects the risks are not as well seen. The core of it is that you need to think about customer’s data. It is often referred to as personal data (section on what this is below). Not handling personal data correctly can result in legal fines, loss of business reputation or the risk of the data getting into the hands of malicious users.
What is personal data?
Someone who can be identified, directly or indirectly, by an identifier. Examples of identifiers are name and surname, a home address, an email, location data or an Internet Protocol (IP)address.
Legal Rights
Individuals have rights over their data from a legal perspective — especially in Europe where we have the General Data Protection Regulation (GDPR) Law. For serious data breaches, companies can be fined £17.5 million or 4% of your annual worldwide turnover, whichever is higher. A big impact to the company financially. Along with that it wrecks the company’s reputation. Who is going to use a company that can’t look after your data?
Four Key things:
To keep it simple — here’s four key things to get you started on learning what you need to know.
1. Consent
An individual needs to agree to the processing of their data. Normally they have tick boxes on websites asking for your consent.
Imagine you do not ask for consent and process their data. Or you ask for consent and it’s not recorded correctly. A problem!
2. Right to be forgotten
You can ask companies to remove all the data they have on you.
What if you don’t have a process of removing personal data? A problem!
3. Data subject access request
You can request a company to give all the information you have on someone.
What if you don’t have a process to gather information you have on someone? A problem!
4. Purpose limitation
Personal data should only be collected for specified, explicit, and legitimate purposes. I’ve been taught from the very start that we’re not allowed to use production data for testing. “purpose limitation” reminds me of that. I read an excellent article on the Ministry of Testing by Ioan Solderea that covers data anonymization. https://www.ministryoftesting.com/articles/using-personal-data-in-test-safely-how-to-comply-with-the-gdpr?s_id=18698045
What if the company is sharing the data with third parties or you’re using personal data on test environments? A problem!
Summary
Understanding what personal data is and learning more about General Data Protection Regulation (GDPR) will support you in finding problems that are often hidden, thus mitigating the biggest risk, a huge legal fine!