David and Goliath of GDPR — Part 2

Image Credit: https://www.deviantart.com/bridge-troll/art/Nana-and-Goliath-406825049

Data Minimization

As it says on the tin, just use only as much data as needed to accomplish a specific task. Also, no double dipping — data collected for a given purpose cannot be re-used for another purpose without additional consent.

  • David: Business process changes around gathering additional personal data attributes such as lead lists. For example, if you have marketing emails going to leads, consider removing all other elements that have no clearly defined purpose. Also, do away with any unnecessary data enrichment. These changes may sound harder than they actually are.
  • Goliath: Technology solutions are designed to maximize data retention and actively prevent data deletion, so minimization and data deletion is counter-intuitive to its inherent architecture. Modifying business rules to remove required fields, particularly for unstructured data managed by code (Mainframe flat files), and changes to data aggregation/integration are hard problems to solve. These may take longer than planned.

Storage Limitation and Data Retention

Continuing with the theme of reasonability of purpose, retention is another important principle. Store personal data only for a legitimate duration and destroy it once its purpose is attained. Keeping data because you can and wearing Bell Bottoms are both out of fashion and dangerous. Trust me, those flares can get stuck in escalators leaving you exposed!

  • David: Automation of data expiration, deletion or de-identification/obfuscation is one of the simplest steps for most modern systems. Run a batch job, a scheduler or whatever your systems support and just get it done. For example, automate the removal of ex-customers data once the contractual and legal obligations are done.
Understanding what information to keep and disposing of information that is no longer needed is an important part of effective information management. In fact disposal is something that you are required to do under legislation such as the Public Records Act and Data Protection Act.

Data Portability

Clearly, as the name says…Gimme my data! And in a format that it is usable with other providers. Few other GDPR principles are as controversial for businesses as this because, at a glance, it makes customer churn easier. However, data portability is a big win for consumers and a boon for customer-centric companies.

  • David: Standard business apps that can run reports and extract data as .csv or pdf files can make some part of customer data portability easy. Combine that with specific guidance on sensitive data such as here is a great way to give customers another reason to consider staying. Portability standards such as Google’s and UK’s Midata that are worth looking at and implementing for data portability.
“Data portability” is a feature that lets a user take their data from a service and transfer or “port” it elsewhere. This often comes up in discussions about leaving a particular social media platform and taking your data with you to a rival service.
  • Goliath: Perhaps the biggest challenge for Portability is to be able to bring it all together, especially if you are not a social networking giant. Customer data is littered across the enterprise systems, and often runs into challenges when you consider unstructured data (again). Consider implementing third-party systems that facilitate portability, but plan for grey areas, especially when the information was shared with more than one data subject.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cloud Compliance

Cloud Compliance


Salesforce ISV, creator of 'Cloud Compliance - GDPR Data Management' AppExchange package to remove personal data and de-identify records without deleting them.