Preparing for the Kenyan Data Protection Act
Following last week’s discussion on the Data Protection Act I’ll recover another article written some time ago that highlights, what I believe is a critical tool to handle compliance with data protection and at the same time provide the means to support a data foundation that enables any organization to deliver trusted, well-integrated and well-managed data to the all its decision processes.
Master Data Management is the powerhouse of the organization’s most valuable data. Data that is used by all its departments across the organization to get their work done – making it critical for any business regardless of its size and reach.
Master Data Management is an end-to-end process of the data journey in the organization. It collects data from the relevant sources to establish a single data source for the organization. A single source of truth – The golden record.
Without being a full-scope solution Master Data Management needs to be at the head of what organizations consider their compliance strategy for data privacy regulations.
Compliance with the data protection act is one of the pressing imperatives for organizations, where non-compliance means significant penalties as well as lost revenue due to customer attrition, this means that it is critical to think about employing enterprise level governance processes to deal with all types of private data collected – Master Data Management is just a component, a key one, to consider for an effective compliance strategy.
How MDM helps preparing for the Kenyan Data Protection Act
The Data Protection Act is here, but Kenyan companies are woefully unprepared.
The risk of being non-compliant can mean negative publicity, damage to companies' reputations, and penalties. The new requirements include that data be protected adequately, and when breaches do occur organizations must have notification capabilities in place that align with the bill’s standards.
Especially when talking about telecommunications and financial services, data is the ultimate battleground. Already under increasing pressure to meet regulatory demands and manage their business challenges, constantly evolving regulatory requirements, rising costs environment, pressure on profit margins, economic pressures, the challenge of satisfying the ever-increasing demands of customers and increased competition, they will now face different data challenges.
The Data Protection Act will govern how telecoms and banks collect, use, store and delete personally identifiable information in the wake of rising cyber-attacks and organizations are finally waking up to the reality that compliance is no longer up for negotiation.
For organizations that hold information for millions of customers on their systems keeping their personal information secure is already a challenge. Compliance with this new regulation is a massive task and there is no silver bullet approach. It’s not surprising that not all organizations are ready.
Upcoming challenges
The first challenge is understanding what needs to be done, avoiding being struck by paralysis and denial. To overcome this, those leading their organization’s efforts must start understanding the regulation and taking steps to ensure organizational compliance.
The approach should rest on three main vectors: Data Management, Security and Business processes.
Data management: Data under the scope of the bill need to be properly governed, allowing it to be easily located and managed, driving the implementation of robust data management solutions.
Security: Data loss and breaches prevention is imperative, allowing to identify where data is located and how it is being used.
Process: Finally, to ensure data is handled properly within the organization, changes in the existing business processes or even new processes need to be implemented, involving staff training, internal audits, and review of internal procedures.
Data Management
This article will focus on the data management vector and on how a strong data management framework will help the adaptation to these new requirements.
The first step is to create the right structure to conduct this process, assuring that executive management is responsible for ensuring that the organization meets its legal obligations to implement the requirements and the organization’s governance processes, including information security, legal, records management and audit.
The most important step to compliance is to understand the data the organization holds. Across the organization, different departments, different systems will hold personal information. Understanding what must be governed is the first step to governing it.
Master Data Management
When starting the process to comply with the Data Protection Act, it should be considered that addressing Master Data Management (MDM) and data protection is a sound strategy to save time and money. MDM involves identifying your customer data, determining who accesses that data and creating a governance program, although, an MDM implementation does not automatically make compliant with the Data Protection Act, it does include some of the necessary steps to ensure compliance.
Both projects address a set of common requirements, on about who using data and where that data is used and/or replicated. In fact, most of the MDM requirements are also requirements for the Data Protection Act compliance. There is some additional work remaining, such as consent or anonymization, but they can easily be accommodated in an MDM initiative.
Data management is rarely seen as a competitive advantage, and although the use of MDM customer data is a common implementation, organizations have yet extended this practice to customer communication preferences and interaction histories, or their employee records and the process of complying with the Data Protection Act is an excellent opportunity to do that.
Some of the specific requirements for the Data Protection Act as the right of rectification and erasure or consent are, for organizations the size of the telecoms, banks or insurance companies, requests virtually impossible to process manually.
With highly siloed ecosystems formed of dozens or hundreds of different systems, identifying all the copies of the customer data in all its variants is a daunting task if the proper data management platform is not in place.
An MDM solution solves exactly these issues, guaranteeing that all the systems in the organization use the same customer information, the customer golden record, and identifying every single source or target for that data.
When it comes to the Data Protection Act requirements previously referred, right of rectification and erasure or consent, these can be included in MDM, enabling the full automation of these processes.
Besides all the features previously listed, the existence of a single view of the customer data also constitutes an authoritative source of customer information, controlling the data silos, making it easier to accommodate ever changing business requirements, eliminating redundancy, increasing data quality.
Conclusion
On the verge of a new set of compliance requirements, and although every industry may have a different business vision, you need to look at that vision and understand if the focus for this transformation should only be the compliance to the Data Protection Act, or if a more broaden opportunity should be considered.
You need to look at this solution, not only to solve compliance, but also as a true business differentiator, enabling a customer-centric vision supporting the organization to deliver truly personalized and valued customer experiences.