Guest post by Dr. Sean Blanchflower, Head of R&D, Micro Focus IDOL
Dripping in sweat as I ease out of a marathon session at the gym, I often spy the oh so helpful poster, "no pain, no gain." But when applying this tenet to the now-pervasive General Data Protection Regulations (universally referred to as GDPR) we've certainly had the pain, so when do we get the gain? As employers, we've been bound by strict processes governing pretty much every one of our databases that we've needed to follow simply to retain our hard-earned lists of customers; and as customers we've been engulfed by increasingly frantic communications from companies that we bought a bunch of flowers from three years ago, working the full horizon of emotions from Denial ("just to let you know") and Anger ("don't send us to jail"), through Bargaining ("stay in touch and win a drinks voucher!") and Depression ("please don't go..."), to the eventual Acceptance ("it's goodbye").
So as customers we are - perhaps - through the worst, able to sleep relatively soundly knowing that regulators everywhere are safeguarding our private information, but as employers the difficulties are just beginning. The regulations apply indefinitely to all Personally-Identifiable Information (PII) held on citizens of the European Union and European Economic Area, so the pain is evidently just beginning. A Netsparker survey of 300 C-level executives claimed that only two percent of companies had reached full compliance by the time the regulations took effect in May. So what next?
Fortunately, the database and records management industry has jumped to offer governance and compliance products, poised to meet requirements across any company's suite of databases or records systems. However, this only answers a portion of the problem; making a customer database compliant is a key first step, but the regulations apply to all PII, in whatever form it appears. How about a passport number sent in an email? Or a comment about a user's medical condition posted on the customer forum on the website? Or even a photo of a driving license received as part of a transaction? How to deal with those?
In Micro Focus, our approach has been to use the capabilities of IDOL, the industry-leading AI engine that uses Bayesian Theory and Machine Learning to find patterns and perform analytics on all types of documents. To IDOL, a piece of PII is simply a pattern to be recognized across the 31 countries and 26 languages of the EEA, whether it's a postal address in Malta, a kennitala id number in Iceland, or discussion of medical treatment in Romanian. Its contextual learning solves the problem of ensuring that a benign 8-digit number isn't blithely identified as a passport number, and its linguistic modules address the need to find the name of a Bulgarian individual regardless of whether it's given in Cyrillic or transliterated into the Roman alphabet. Sourced from government documents and constantly updated with new training and patterns, the GDPR module simply aims to meet the requirements to know where a company's PII is located and to help take action once it is.
Now if only it could help me through that final mile at the gym…