Meeting the stringent requirements of the GDPR is no easy feat. Denodo’s Saptarshi Sengupta discusses how a leading organization approached the challenge – and achieved significant time and expense in the process.
While the looming deadline for the European Union’s General Data Protection Regulation (GDPR) of May 2018 has come and gone, global organizations, like Autodesk – one of the biggest names in worldwide 3D CAD design, have either adapted well and are in compliance or are racking up some serious violation penalties. In late 2017, Forrester’s report “Predictions 2018: A Year of Reckoning” estimated that 80 percent of firms affected by the GDPR would not be able to comply with the regulation by the deadline, and of those noncompliant firms, 50 percent would intentionally not do so. Whether your organization has already found the right mix of technology and processes or you’re still looking for the right path to GDPR nirvana, establishing and maintaining compliance is no easy feat and requires an innovative approach to ensure success.
While many organizations seemed to be in reactive mode when it came to achieving GDPR compliance, Autodesk considered it an incentive for stimulating innovation without sacrificing revenue goals. Autodesk’s quest for GDPR compliance actually fueled improvements through new perspectives and approaches to solving problems, which led to new paradigms in best-case scenarios. “Privacy by design,” for example, is an information strategy that was formed as part of GDPR to incorporate data privacy in systems and processes as they are being developed or revised.
This approach, which is mandated by the GDPR for new projects, necessitates investing in data privacy up front. This method is often used based on the belief that such an investment will 1) pay off overall via customer loyalty and 2) avoid costs associated with penalties and rework to retrofit systems and processes to accommodate future personal data privacy rules. It also provides the opportunity to “design in” the flexibility necessary to accommodate future clarifications and changes to the GDPR.
However, achieving a holistic view of GDPR-related data is challenging given the fragmented data ecosystem comprised of diverse data sources. Autodesk leveraged existing data virtualization technology and its logical data warehouse model to help prepare the organization to meet the stringent GDPR requirements.
Using data virtualization, Autodesk Platform Lead Kurt Jackson created a layer of abstraction between data consumers and data sources, making it possible to leave all source data exactly where it is and establish a virtual view for accessing all compliance-related information. After selecting its data virtualization solution, they were able to both avoid data movement by logically consolidating all the data and ensure data privacy by design, a key requirement for GDPR compliance. This also allows Autodesk to support data cataloging as well as search and discovery of both data and metadata and provide a mechanism to centrally audit and glean lineage of sensitive data.
Autodesk had already successfully deployed data virtualization technology to help establish an agile business intelligence 2.0 architecture with a logical data warehouse at its core to create a single, unified enterprise access point for its changing business models. With the system up and running and already delivering ROI, the team discovered they could apply the same technology to help various Autodesk business teams plan, develop and maintain a GDPR solution. However, the challenge was for Kurt to help the business teams realize that the right technology for the GDPR solution was already available within the organization and then ensure they leveraged the technology for the optimum outcome.
What came as a surprise was that the data virtualization team didn’t know that other business teams within Autodesk were already working toward meeting the GDPR requirements and the associated deadline of May 2018. It was also discovered that a potential solution – already in process with the business teams – called for 12 full-time staff to be put in place to research proper handling of the 10,000+ “delete requests” from its more than 2 million active accounts. These were jobs that would do no more than collect and provide data to other members to take action.
The business teams didn’t know Autodesk was already using data virtualization technology for a logical data warehouse. Kurt and the data virtualization team reached out to the business teams and volunteered to handle triage of all incoming “delete” requests from customers. But when it was discovered the planned approach called for dedicated, new, full-time staff to field the requests, research the account and then provide the information to other teams and systems to handle deletion in all appropriate source systems, all teams quickly realized they already had the right technology and a better solution: data virtualization.
Just as Autodesk leverages data virtualization for its logical data warehouse, they realized they could do the same for their GDPR solution. Autodesk knew the GDPR challenges were the same: get disparate, numerous source systems and models that don’t talk to or integrate with each other to come together virtually. In the case of GDPR, the data virtualization platform brought together 104 different objects over 11 different data systems all through a single web service. The team started the project in February 2018 and was finished by the end of April with only two individuals handling the coding.
Autodesk can now process a single request in only 20 seconds, whereas the planned solution called for manual intervention that took humans 480 seconds per request. Leveraging data virtualization, Autodesk eliminated the need for 12 full-time staff and designed and implemented its GDPR solution in only three months with only two individuals coding. With more than 10,000 delete requests per month and potential fines of 4 percent of revenue for customer privacy violations, Autodesk was able to meet all GDPR requirements and save the company significant resource time and budget in the process.