General Data Protection Regulation – Right to be informed – Technology Strategy

The Right to be Informed (about processing) under the General Data Protection Regulations relates to information gathered either directly from the individual, through their interactions with the organisation or via third parties.

The technology challenge with such a right is making sure that the correct individual is identified and informed about the processing. Even the process of informing the individual is fraught if that individual has already notified the organisation they do not want to be contacted. From a legacy systems viewpoint good search, matching and linking is required to ensure the right individual is contacted and they have given prior consent to communication.

Organisations that have implemented a CRM (customer relationship management) system (such as SalesForce, Dynamics CRM or Siebel) to provide a ‘single view of the customer’ will be able to use Master Data Management Technologies (such IBM InfoSphere or Informatica PowerCenter) to provide match and linking for information related to individuals to enrich the CRM with consent information. The consent information should be evidentially recorded via a secure timestamp and cryptographic hash and access provided to those systems that need to enforce compliance (via a RESTful interface using a secure hash as a key).

Tactics for compliance include scanning and processing paper forms into an indexed evidential document store which provides a (RESTful) interface for providing compliance information. When new information is obtained about the individual existing processing and data consent will need to revalidated and the individual informed of the change. Typically I have seen ElasticSearch used for search indexing using an Enterprise Content Management System (Alfresco Digital Business Platform or IBM FileNet) for storing the documents and the results stored in the CRM system synchronised with a evidential status store based on NoSQL or SQL technology.

The right also conveys the need to inform the individual within a reasonable time and in a manner acceptable to the individual: easily understood and convenient. This could be post, e-mail, SMS or notification depending on the client’s needs especially to comply with accessibility requirements. These facilities all need gateway technologies such as print, email/SMS (Twilio for example) to ensure the individual can be contacted.

From a open source viewpoint ElasticSearch (for search), Apache NiFi (for search and linking) and Apache HDFS (for document storage) and the database of your choice (MySQL, Postgres, MongoDB or HBase are on my shortlist). Adding an API Gateway (Mule, Knox or Kong) provides other systems with the consent information which can trigger notification to the user when the new information is recorded or processing changes (using Event Stream Processing using Apache Storm or via AWS Lambda/Azure Functions if cloud based).

Overall the strategy to support this right alludes to an event driven architecture as the strategic way forward so new information being collected or obtained triggers an evaluation of the change which in turn triggers notifications to the individual. Whether they are spontaneous single actions or batched into meaningful, yet still timely, notifications the event driven approach still stands.