A practical approach to GDPR: A Telenor Story

May 2020 marks 2 years since GDPR was introduced. During this period companies went to great lengths to revise and adjust their data policies. However, there was still some uncertainty that loomed about regarding full compliance — personal data processing made everyone’s hair on the back of their neck stand up.

But GDPR was made to protect from illegal data usage, personal data processing is not unlawful if it’s done the right way. This is a lesson that Andrey Mostovykh, Senior Data Architect at Telenor Digital, a division of Telenor one of the world’s largest mobile telecommunications companies, taught us at the Data Innovation Summit 2019. Andrey presented Telenor’s practical approach to GDPR, the learnings and revisions of their data processes and tools they used.

As Telenor Digital is directly involved in providing services such as data lake, digital identity, digital marketing tools and permissions management to the organisation, they took steps to make their GDPR compliance spotless using a proprietary privacy protection tool.

What happened when GDPR stepped in force

When Telenor Digital was first faced with GDPR, it became clear to them they had to better understand their personal data processing and get precise control with what they were doing with their data, recounts Andrey.

The first step was to list all data processing activities and understand the legal basis, for which they needed to define a list of several use cases. What at first sight seemed like a small list that can be made in a spreadsheet grew into a maze of tables and a complex subject matter which could be interpreted only with the help of a legal expert. Additionally, the number of Telenor Digital’s use cases proved to be much higher than they initially anticipated — more than 400 use cases, more than 100 data categories used over 2,000 times, and this is in only one business unit in Telenor, states Andrey.

A self-serving data mapping tool

The result of the data mapping left Telenor gasping for air and lacking the much needed legal help. The solution was to automate the process, but there wasn’t any tool on the market that could satisfy their data needs. They decided to roll up their sleeves and develop their own self-service data mapping tool that enabled data users to enter data about use cases. 

The data mapping tool had GDPR integrated into its algorithms and helped Telenor Digital to gain insight into processing records automatically such as a missing data processing agreement, insight into security measures, legal bases, etc.

As Andrey points it, this data mapping tool helped Telenor Digital understand where and how they processed data. But for use cases that required managing consents and objections, a different approach was needed because it is a sensitive aspect of customer interaction.

Telenor Digital’s Permissions management tool

Unable to find a permissions management tool with good user experience, Telenor Digital again opted to develop one. The Permissions Management service they created consists of 4 parts:

• Privacy tour – explaining how and where they process personal data
• Permissions management – containing a list of consents and objections for personal data processing which users can toggle on and off
• Data subject rights – containing request forms to delete user data, get a dump of data, information on data processing, rectify information, etc.
• Legal documents – containing terms and conditions and privacy notices.

Deciding to create a custom-made tool provided Telenor Digital with some unique built-in capabilities, Andrey mentions. The most notable one is A/B testing which helped them understand how placing one word in a different place in a sentence has a huge impact, considering the short attention span of users online. Another benefit is multichannel support in the form of web application built on a responsive design principle and it can be used on mobile or web, or on other channels via APIs.

A distributed system for data processing

When a user switched off one permission in the permissions management tool, their decision had to be respected across the whole Telenor organisation. But as a heavily geographically spread organisation, they couldn’t afford to rely on a standard centralised system for data processing used by other companies.

They implemented a distributed system with different modes of personal data processing:

• Single checks if a user has agreed on session tracing for product improvement – based on API calling before tracing.
• Bulk latency intensive checks for users that have agreed to marketing – based on a decision dump which can be merged with the marketing audience and filter out people who objected to personalised marketing.
• Latency sensitive or extremely bulky checks –  based on a local cache updated real-time from a changes queue in the permission management system. Every single decision in the permission management published in a message queue which is updated in real-time by a local cache.

The above modes refer to tracing single checks and batch processing, while for real-time processing they integrated a stream filter based on Kafka streams that read one source topic of data which can be used for multiple use cases. By checking different use cases at the permissions management, it provides several clean streams which are suitable for processing for different purposes, explains Andrey.

Reality check challenges and solutions

However, when they deployed the permissions management tool, Andrey mentions that they came across a challenge they hadn’t accounted for. Having based their service on digital customer identity dubbed “Connect ID”, they discovered that different systems were using different identifiers than the ones used in permissions management. But, all these systems needed to respect the permissions and objections that customers defined in permissions management.

To be able to distribute permissions collected at permissions management based on a single identifier to all systems, Telenor Digital created a Master Data Management system – ID Map. It collects links between different identifiers and translates identifiers when permissions were granted to identifiers that a certain data processor understands.

Data subject rights requests

Data subject rights requests are petitions which a customer submits to a company to get access to, amend to delete all personal data the company has on them.

Andrey points out that the initial tool they used for data subject right requests was a simple form with a button for a specific request. But it proved extremely inefficient, as customers just clicked all buttons impetuously out of curiosity, and as their forms didn’t have a lock, Telenor Digital ended up with as much as 21 requests per person for a single request. Their illusions that they could process data subject rights requests manually were burst like a bubble.

To fix the chaos, they first introduced a lock which denies additional requests to be made when a person has already submitted one request.

The initial number of 5 requests per year per country Telenor Digital got at the beginning amounted to hundreds request per month which left data engineers with tons of manual work with data deletion and exports. It very quickly became evident to Telenor Digital that the only solution for data request is automation. Today most of Telenor Digital’s data requests processings are fully automated with the exception to the initial contact with the customer care to ensure that a customer truly wants all their data deleted and whether it refers to just history or their whole account. In addition, they also improved the user interface so that users better understand different requests and the outcomes from them.