As GDPR Looms, Trusting in a Trust for Data Analytics and Protection

The deadline for compliance with the European General Data Protection Regulation framework is fast approaching.  Many companies aren’t ready yet. To get up to speed, and get data in place – in anonymized fashion – IBM and Mastercard have created Truata, a data trust.  CEO Felix Marx tells PYMNTS’ Karen Webster why companies should trust in the trust.

The European General Data Protection Regulation (GDPR) framework looms, with a deadline of May 25, 2018.

And it’s been reported that much of Europe isn’t ready. Big data application provider Solix, for example, said earlier this year that two thirds of firms are not sure if individuals’ personal information has been cleansed from systems. And just 43 percent of firms have defined processes in place that would allow for deletion of records. Fines of as much as 4 percent of global turnover – or 20 million euros – will accrue if they don’t get such methods in place.

As an Englishman wrote hundreds of years ago: The readiness is all. Data, after all, is oil, akin to that black gold as in the digital economy, it keeps commerce flowing. Data helps companies understand customers and change their go-to-market strategies to meet their buying habits. The data, then, serves as a signpost to higher sales and profit. Data needs protection, however, a key desire of consumers who may be wary and weary of aggressive marketing. There’s a reason, after all, why ad blockers exist.

Thus, against this backdrop, the announcement came this past week that Mastercard and IBM have partnered and formed a trust – Truata – that allows for analytics of, and protection of, data in compliance with GDPR. Think of it as outsourcing data analytics, to at least ensure that the data is in compliance.

In an interview with PYMNTS’ Karen Webster, Felix Marx, the CEO of Truata, said the trust is structured to be independent of customers and other stakeholders in the way personal data is managed.

With only nine weeks to go, he said that large and medium-sized companies started only a few months ago (some as recently as three months ago) in working to get ready for the GDPR deadline. Marx pointed out that Morgan Stanley has predicted that by the end of 2018, 50 percent of companies impacted or affected by GDPR will not be compliant.

“We see immediate need for some entity or an organization like Truata,” he said, especially since the framework applies to all companies working within the European Union.

Marx told Webster that the regulation itself raises the bar on what is currently classified as anonymized data. That means just putting in place additional security measures is not sufficient to ensure compliance, leading IBM and Mastercard to establish this data trust.

The trust utilizes IBM technology for tech and services stretching across cloud and cognitive computing, and also leverages IBM anonymization technology.

For example, a Truata client – in this case, an online merchant – takes a customer list, de-identifying it in a way that can be known only to that client, and passes it to Truata.

That de-identified data is tokenized and stored with the trust, which tokenizes it once again and stores the data in its own vaults.

Marx stated that customers of the trust can expect different deliverables from Truata.

“A company can task Truata to do complete analytical reporting … you can use an analytical front end or analytics tools from Truata to do the analytics yourself on an interface that we provide.”

Or, with another option, said the CEO, clients can request model codes or algorithms, which can then be used with that client’s own analytics tools.

The initial reaction might be that moving data outside the parameters of a firm – and in a central repository – might put that data at risk. Or, at the very least, there’s the chance of commercialization. Neither is particularly appetizing for companies or their consumers.

The data transference into the trust takes place with security in mind – as well as conformance with Article 29 Working Party guidelines, which help to govern data protection.

Amid a regulatory landscape that is only getting more regulated, Marx emphasized to Webster that there is no commingling of data – and that clients are unable to conduct analytics based on the totality of data held by the trust. The anonymized data remains in the vault and firms can conduct queries on it. And the trust operates in a B2B capacity, he told Webster, stating that “we are not a consumer-facing entity.”

Marx was quick to emphasize that it is up to the individual companies and stakeholders in the ecosystem to ensure they are compliant with GDPR – working with the trust does not ensure compliance once the data and analytics are passed on from Truata to those clients.

Mastercard is the first client of the trust, though Marx noted that interest – admittedly early in the game – is coming primarily from mid-sized and larger firms, across all verticals.

“We are offering the methodology, the technology and the analytical tools to deliver GDPR-compliant results,” he told Webster.