GDPR a primer

The General Data Protection Regulation or GDPR imposes new and arduous burdens on business and other organisations across Europe from May 2018.  Behaviours will have to change and companies have to make sure they are ready for the deadline or face fines up to 20 M euro. This primer summarises some aspects of the GDPR which will impact businesses – a regulation which will significantly overhaul Europe’s data protection legislation at a time when information systems and digital business underpin most business growth strategy.

GDPR protects personal data
GDPR & personal data

The draft GDPR legislation started in January 2012 and took four years to wind its way through the commission and the parliament.  Four years of intensive debate, negotiation and lobbying, resulted in a very detailed 88-page regulation which will become law across Europe on the 25th of May 2018 (Article 99 (2)).

GDPR is one of the most wide-ranging pieces of legislation passed by the EU in recent years, and introduces new concepts such as the ‘right to be forgotten’, data portability, data breach notification and accountability and many others will place new burdens on European businesses and business trading in Europe.

Outside of the European Union, it is expected that the GDPR will, via the Brussels Effect become the de-facto standard for data privacy in many other countries.

In the preamble to the regulations is a bald statement “Everyone has the right to the protection of personal data concerning him or her”.  This is a very different philosophy from what applies in other jurisdictions. For example, in the US there isn’t a single Federal over-arching data protection Law as they have a sectoral’ approach to data protection legislation. In effect this means that Data protection measures are buried within numerous laws and regulations such as United States Privacy Act, the Safe Harbor Act and the Health Insurance Portability and Accountability Act at Federal level. It should not be forgotten that the American system also has state level legislation where California and Massachusetts stand out as having the most stringent requirements.

When taking about personal data, it is important to note that this sweeping term covers traditional items like name and address and medical information, but also stretches to identifiers like IP addresses, RFID tags.  Even when data gathered by an EU entity is outside the EU it is still covered by the European regulations.  While anonymous data is probably excluded (Recital 26), pseudonymous data is explicitly included.

Users

New rights for users are explicitly created by GDR, both when the data is gathered and as long as the data is preserved. For example, during data gathering there are two major rights to consent and information about the data controller.  A person’s consent must be active and auditable – (Article 7 (1)) So pre-ticking boxes or assuming that people consent if they don’t object are no longer permitted as means of consent.  Also when a person is suppling data (Article 13(1)) the receiving organisation must supply contact information about who the relevant data controller.

For as long as long as an organistion retains data about an individual the individual retains certain rights.  These rights can be exercised by the individual at any time until the data is destroyed and organisations will have to be prepared to deal with them. So retaining data may have an ongoing cost beyond the cost of storage.

An individual has the right to gain access to their information held by an organisation, so the organisation has an obligation to supply that data if requested (Article 15(1)) by the subject.  This ties in neatly with the right to data portability which means a person can take his/her data to another organisation.  (Article 20). If a person doesn’t agree with the data about them they have a right to rectification (Article 16).  The regulation is silent on exactly how the definition of accurate is to be developed. Going further there is now a Right to Erasure (Article 17).  Where by an individual can insist on all information being deleted. Besides focusing on the actual data, people have a new right about refusing automated decision making (Article 21) in their cases.

Organisations

Each of these rights for the consumer naturally place obligations in the data holding organisation.  Obligations which may incur costs for technology, staff and new processes.  Besides the cost of vindicated the various specific consumer’s rights, organisation also have new generic obligations in terms of staffing and processes.

There is now an explicit requirement for a Data Protection officer (Article 37) who has a specific role laid down in the regulation, including monitoring compliance with the GDPR.  As part of everyday business and process enhancement, the organisation is obliged to perform risk assessments (Article 35).  If something goes wrong the organisation must report data braches in 72 hours to national authorities (Article 33).  Plus, the organisation must contact the person whose data was compromised (Article 34). Each of these steps places a burden on the organisation and especially on management who need to be prepared for the inevitable mistakes.

General

Naturally the various levels of EU wide State Administrations inserted a carve-out for their own requirements, with exemptions for Defence, Public Safety & National Security (Article 23)

Besides the terrible publicity for an organisation for mishandling customers data as has been seen in so many cases before now.  The GDPR contains penalties, in the worst-case these penalties are could rise to 20 Million euro or 4% of worldwide annual turnover whichever is higher (Article 83 (5)).

Dimensions of big data maturity models

Typically what dimensions do big data maturity models examine and why?

Dimensions from common big data maturity models

In the word cloud above you can see a selection of dimensions from commonly deployed maturity models.  The models themselves are not of interest at the moment, just look at the large words, IE the most frequently used terms.  In essence, these terms drive the maturity modelling process, so they are key to a suitable model.

There should be nothing surprising in any of these terms, and indeed most practitioners agree much more than they disagree about what needs to be included in a big data maturity model.   The subtle differences reflect industries and the experience of the individuals who created the models.  The problem is trying to pick a suitable model for a given situation.

Using the wrong tool is rarely a path to success and doubly so when it concerns measurement systems.  Below is a quote from the man who brought us critical chain that revolutionary project management systems.

“Tell me how you measure me and I will tell you how I will behave. If you measure me in an illogical way… do not complain about illogical behavior…”

Eli Goldratt

The first sentence is commonly quoted, but the second one also deserves some attention.  We often blame illogical behaviours on character flaws in managers.  Perhaps we need to reflect a little bit more on the tools we use to evaluate them.

A quick and simple Customer Experience maturity questionnaire

 

Organisations normally have very laudable goals about customer centricity in their annual reports and strategic documents.  A strong management system would always involve some sanity checking of what actually happens on the ground to implement the strategy.  This would include some kind of mystery shopping as well as customer and staff surveys, to measure and track what level of customer experience is being delivered in practice.

This Quick Staff Survey Tool is a useful tool for a quick overview of what a large number of staff think.  This tool should be used in addition to other tools like  detailed staff surveys, workshops and one on one meetings.

Maturity Models

The key insight (Anna Karenina principle) which drives Maturity Models is that all successful companies in a given field have to surmount the same obstacles. A good maturity model will clearly group and articulate these obstacles (normally termed dimensions) along with understandable levels.  The resulting two-dimensional matrix should be summarised in a single graphic and easily comprehensive to a person working in the field.

 

These dimensions and levels provide the framework against which a company can benchmark itself and its competitors, formulate action plans. and track progress over time.  Thus, maturity models may be understood as artefacts which serve to solve the problems of determining a company’s status quo of its capabilities and deriving measures for improvement. (Becker J., 2009) In brief, the Maturity Model becomes a key strategic tool for driving progress.

 

Dimensions

The Anna Karenina principle originally expounded in Tolstoy’s famous quote “Happy families are all alike; every unhappy family is unhappy in its own way”. (Tolstoy, 1873)  This means that families while having different circumstances and dynamics must all manage certain obstacles.  A family Maturity Model we could speculate as having dimensions of Money, Parenting, Sex, In-Laws & Religion.  For a family to be happy, it must have a certain ability (or maturity) to handles each and every one of these five dimensions.  Failure in any one dimension will lead to unhappiness. Aristotle makes the same point when he says: “For men are good in but one way, but bad in many”. (Aristotle, n.d.) A more up to date wording is “It seems that in good situations a number of requirements must hold simultaneously, while to call a situation bad, even one failure suffices” (Arnold, 1984)

These dimensions, the high-level structure or the “buckets” of capabilities that are being evaluated are the key to any Maturity Model.  The dimensions frame the discussion and trigger the right (or wrong) questions which is half of a Maturity Model’s job. A key principle when evaluating dimensions is are they MECE (mutually exclusive, collectively exhaustive).

 

On the surface, these multiple dimensions might be thought of as contradicting the Hedgehog principle (Collins, 2017) where mastery of a single skill is key to success.  But a little bit of reflection shows that this may not be so black and white.  In corporations, many people are used to balancing conflicting demands.  “Do more with less” is one frequently heard articulation of conflicting demands.  This formulation drives many managers nuts, as it fails to provide any helpful guidance. Similarly, when one asks a company to specify an ambition level per dimension, the answer starts with a bland “best in class” or “top of the range”.  It is only when we look at the detail behind the model at the steps and investments required to move up a maturity ladder the trade-offs become clearer and choices can be made.  The exact balance between conflicting demands can be captured in the prioritisation which the company gives to move from one level to the next.

 

Levels

Typically there are 5 levels in any model.  More than five and the distinctions between levels becomes arbitrary, below 5 the detail is lost.  Usually Level 0 is some variation of missing or ad hoc while level 5 is usually a self-adapting and optimized process. The names vary from model to model, in Quality Management Maturity Grid the five levels are wonderfully named: Uncertainty, Awakening, Enlightenment, Wisdom, and Certainty (Crosby, 1997).  Whereas the Public Sector Internal Audit Capability Maturity Model is far more prosaic with Initial, Infrastructure, Integrated, Managed, and Optimizing. (IIARF, 2009)

 

What is important is that practitioners don’t automatically assume that the highest level is the best one for them. The organisations strategy is key to guiding the correct target level.

Level 5 may not be an organization’s goal, as the cost to achieve level 5 may at times exceed the benefits. In other words, management’s risk tolerance may be high enough to allow for the process to be less exact or consistent, or it may not be strategically important enough to invest in certain processes to consistently achieve level 5.

 

When a company agrees on a baseline and a target level, there is a natural gap analysis from which a maturity development plan emerges.  Some practitioners try to go directly to the target level ignoring the intermediate steps.  This is normally unsuccessful as company needs to evolve through the levels: “Some do it faster than others and with fewer detours, but fast or slow, every company that gets to world class must evolve through these stages to get there. There are no shortcuts.” (Shapiro, 1996)

 

The key usage of a maturity model assessment isn’t what level you are, but the actions, vocabulary and plan required to improve.

 

Maturity Models stand apart from the suite of diagnostic tools developed over the years to help identify problem areas: SWOT, benchmarking, McKinsey 7S, BCG growth matrix are widely used examples.  These tools are not in themselves solution to any problem, they are diagnostic tools, which help to pin point the pathology. Maturity Models have the advantage that they both highlight the current situation and sketch out a road map to evolve.

 

However, Maturity Models, like any model are approximations of the real world. They can be dismissed as oversimplified, missing key ingredients just plain wrong.  Used wisely they can be useful, even a crude model can help you figure out what the next step is to take. If an organisation has trouble understanding and articulating what is exactly wrong and what they want done. For example, if they know about symptoms; flat revenues or dropping margins, but not the root causes then any actions will be scatter gun and ineffective. Maturity Models can help isolate the root cause(s), frame the solution and provide targeted actions.

 

Common pitfalls

Using a maturity model measure one group against another is counterproductive. This is a text book example of ruining an informational metric by incentivizing it. However it is a typical to benchmark ourselves against others and this needs to be guarded against. When showing an organisation’s results from multiple groups avoid showing any comparisons between groups.

 

Summary:

Maturity models have two key properties Dimensions and Levels. Dimensions represent the buckets of capabilities required and Levels are a measure effectiveness in Dimensions. When appropriately designed these models provide:

  • A framework for envisioning and communicating the desired state, and the associated change initiatives.
  • Benchmarks the organization against other organisations.
  • A roadmap from an immature to a mature process.
  • A disciplined, repeatable method that is easy to understand and implement.

 

 

Works Cited

Aristotle, n.d. Nichomachean Ethics. New York: Barnes & Noble.

Arnold, V., 1984. Catastrophe theory. 1st Edition ed. Berlin: Springer-Verlag.

Becker J., K. R. P. J., 2009. Developing Maturity Models for IT Management – A Procedure Model and its Application. Business & Information Systems Engineering, Volume 3, pp. 213-222.

Collins, J., 2017. Hedgehog concept in the business sectors. [Online]
Available at: http://www.jimcollins.com/article_topics/articles/hedgehog-concept-business-sectors.html#articletop
[Accessed 13 09 2017].

Crosby, P., 1997. Quality is Free. 1st Edition ed. New York: McGraw-Hill..

Diamond, J., 2014. Guns, Germs, and Steel: The Fates of Human Societies. x ed. London: Vintage.

IIARF, 2009. Internal Audit Capability Model (IA-CM). [Online]
Available at: https://na.theiia.org/iiarf/Public%20Documents/Internal%20Audit%20Capability%20Model%20IA-CM%20for%20the%20Public%20Sector%20Overview.pdf
[Accessed 12 09 2017].

Shapiro, A., 1996. Stages in the evolution of the Product Development Process, in McGrath, Michael E. (ed). Setting the PACE in Product Development: a guide to product and cycle-time excellence.. s.l.:Butterworth-Heinemann.

Tolstoy, L., 1873. Anna Karenina. 1st ed. New York: Random House USA Inc.