As we saw in the previous blog (Nordisk Film – business intelligence and analytics in a modern, diverse company), Nordisk Film is part of Scandinavia’s leading entertainment company, the Egmont Group, employing nearly 2,000 staff and having an annual revenue of around €500m. As well as being both a film producer and distributor, the company also deals in video games, gift cards and events tickets, requiring it to keep track of data from literally millions of customers and suppliers.
Last time, we also heard from Mikkel Hansen, Nordisk Film’s system finance manager, who has been focusing on making it a more data-driven organisation. Mikkel spoke about this in a recent TimeXtender webinar that he shared with Timm Grosser, Head of BI consulting at the BARC Research Institute in Germany. The webinar link’s at the end of this blog but a key theme voiced by both Mikkel and Timm is that with the 25 May date for GDPR compliance looming, data management needs to be on everyone’s minds.
BARC recently conducted an international survey of around 700 companies and found that while seven out of ten saw data preparation as a very important topic for them, most were struggling with any meaningful analytics due to their data management being less effective than they want it to be.
“With increased digitalisation and decision automisation, data becomes fundamental to business success,” notes Timm. “As we all see increasing data volume, we also see more data variety out there – not only structured data but also poorly structured data or unstructured data that we could use. Since we all have to rethink our businesses to drive innovation from that data, decision automisation is becoming one of the biggest value drivers because this is how we can all put data into action.”
The historical problem with data
Since data management has been neglected by many organisations over the years, Timm notes that any last-minute rush towards GDPR compliance can easily be stalled by one or more of these issues:
Poor data quality
Problems with identification of data due to silos
Problems with data traceability
No deep understanding of type and location of data stored across an organisation
Meeting GDPR legislation requires unified data protection for all individuals. As Timm puts it,
“We all have to care about our personal-related data and we have the first principles of prohibition with the reservation of permission. What that means is that to collect or to process personnel-related data, we need a database that records whether we are allowed to use this data. If we are only allowed to collect data for special purpose, we also need to note that and, after the purpose is reached, we have to delete it. Every organisation must ask itself, ‘Is our architecture really able to fulfill GDPR security compliance?’”
Nordisk Film and GDPR
Managing GDPR requires an understanding of how personal-related data flows through an entire organisation, where it’s stored and how it’s being used. The penalties for not doing this can be severe – up to 4% of the annual turnover of a business – so how has a company such as Nordisk Film gone about organising its data?
“We started by looking into each and every data source that we were adding into our central environment,” says Nordisk Film’s Mikkel Hansen. “We then made sure we weren’t taking any information that we didn’t need. But even then, it’s not enough to be compliant with the rights and the documentation – you also need to be compliant with the rule saying that your data needs to be updated. That means we now have to consider if we have the newest information on people in data sources in order to ensure that our system and analysis are up-to-date. Then, since we sometimes have sensitive fields, we’ve had to mask or anonymise these when viewed by certain people.”
As an example of how this works, Nordisk Film often asks its cinema loyalty card holders to fill in a survey about their cinema experience. Their answers about seat comfort, popcorn pricing or picture quality will be stored, along with their loyalty card number and this card’s data on the customer’s identity, address and email.
One of the GDPR issues raised by this is that should a customer specifically ask what their responses are being used for, or requests the right to be forgotten, then Nordisk Film must be able to show through its data documentation that analysis of the survey data doesn’t also reveal a customer’s identity or cinema viewing history.
“What this needs,” says Mikkel, “is a self documenting system that can do an impact analysis. So we will be able to know where data is being used, in what kinds of analysis it’s appeared in and what other systems each user is registered in. In this way, we’re able to say yes, you were in our survey data for such and such and you are also in our loyalty data. In order to do that, we use the documentation features within the Discovery Hub®.”
TimeXtender allows the anonymisation of sensitive fields even when two data sources are merged, as in the case of the unstructured survey data being combined with the structured ERP data of the loyalty card. In this way, analysis is possible while TimeXtender’s auto documentation keeps track of who is using what data for each purpose.
It all goes back to having a vision for data management and the tools to achieve the vision of standardised, legally compliant data storage.
“In order to do these things, you need to have a clear view of your data and have a clear governance on how you use,” says Mikkel.