WhereScape Data Automation for GDPR Compliance

This white paper summarizes how WhereScape® automation software can help your organization deliver key requirements of the General Data Protection Regulation (GDPR). It lays out the key new requirements that GDPR will demand from your business, and describes how WhereScape products can help you ensure they are met to avoid costly penalties. Once the GDPR comes into force on May 25, 2018, there will be a two-tiered sanction system with lesser incidents subject to a maximum fine of either €10 million (£7.9 million) or two percent of an organization’s global turnover (whichever is greater).  

GDPR-Compliant Data Warehouse

The European Union (EU) introduced its data protection standard through the Data Protection Directive 95/46/EC in 1995. The directive allowed Member States a lot of flexibility when implementing into national law, and the EU ended up with many different laws. Since 1995, increased numbers of data security breaches, rapid technological developments, and increased globalization have brought new challenges for the protection of personal data. To address this, the EU developed GDPR in May 2016 to come into effect on May 25th, 2018. This applies to all companies, no matter where their operations are based, that are doing business with EU citizens and replaces the previous regulation. The UK Government has announced that the regulation will be adopted by the UK, irrespective of Brexit. 

The regulation applies to all living EU individuals’ identifiable personal data, regardless of where it is sent, processed or stored. The regulation states that the protection of personal data is one of the “fundamental rights... of natural persons.” 

GDPR was essentially created to stop the misuse of personal data in intrusive, unwanted  and/or unapproved marketing activities. After the ruling comes into play, companies will be  required to prove that any data they are holding on anyone is necessary to the running of  their business.

Data Identification & extraction

  • Identify 
  • Extract 
  • Collate and centralize 

Business process & data management 

  • Audit 
  • Usage management 
  • Minimization 

Control & security 

  • User access 
  • Monitor / Alert 
  • Encryption

GDPR Compliance

To ensure GDPR compliance, your organization will need to perform activities that fall into  the following categories: 

  • Data identification and extraction 
  • Business process and data management 
  • Control and security 

WhereScape 3D and WhereScape RED 

WhereScape 3D is designed to help you easily explore and understand your existing data  assets. It is a comprehensive discovery and design tool that is ideal for the early planning  stages of your GDPR approach and the ongoing tracking of data across your organization. 

WhereScape 3D will enable your organization to identify the scope of your GDPR problem and identify where personal data relating to GDPR resides, providing valuable input to your GDPR roadmap. 

WhereScape RED is designed for developing, deploying and operating data warehouse and big data solutions. Agnostic of the underlying platform, WhereScape RED’s automation  capabilities can deliver your GDPR-compliant data infrastructure projects faster. 

GDPR Compliance with WhereScape

Within every organization, different and disparate data streams make it tough to create an  easily auditable view of the data. WhereScape enables you to aggregate that data in one  centralized location, and categorize and tag all the data types your company collects. You  can then evaluate and explain, if asked, how each type is vital to your business or delete  information that is not GDPR compliant before it results in a financial penalty.  

This white paper explains how WhereScape’s data automation technology enables you to  be proactive by using WhereScape 3D to discover all data and tag certain defined elements  such as captures that contravene GDPR requirements. It also allows both new and existing  customers to be reactive, by looking back through the full data lineage WhereScape creates,  pulling together various strands of information to build a profile of a certain customer on  request.  

WhereScape discovers and catalogs all existing data, flagging any item that is relevant for  GDPR consideration. This means you can quickly identify and extract GDPR sensitive data  to a centralized location for further analysis, adjustment and reporting to comply with GDPR.  

WhereScape RED will then enable you to extract the data through to a repository from where  you can perform critical data analysis, provision the data to data subjects upon request, and  measure the success of fixing your data to become GDPR compliant.

Data Extraction 

A key requirement of GDPR will be your ability to locate, aggregate, extract and/or delete  personal data on any subject on request. You will also be expected to rectify inaccurate  data if required, and/or supply it in a clear and portable report for extraction. Any of these  demands must be completed within a month of the original request. 

The processing of data regarding racial/ethnic origin, political opinions, religious or  philosophical beliefs, trade union membership, genetic or biometric data, or data concerning  health, sex life or sexual orientation shall be prohibited. 

This means you must know what data you have, where it is stored, and ensure it’s in a format  that can be accessed quickly. It also means being able to easily adjust, delete or extract the  affected data, which might be spread across multiple sources, as required for compliance  with GDPR after June 2018. Where data is provided from a third party rather than direct from  the data subject, you must provide details of who supplied it. 

Defining the scope and scale of your existing problem early will provide critical information  for your GDPR roadmap. Leaving this to the last minute may reveal a problem the scale of  which cannot be resolved before GDPR comes into play, leaving you open to heavy fines if  discovered. You will also need to monitor the impact of becoming GDPR compliant on other  systems. 


WhereScape 3D can quickly discover, explore, and profile sources for personal data from any  source. It is fully source agnostic, analyzing both enterprise and big data sources. Existing data  warehouses can be automatically and retrospectively discovered, profiled and documented  once you connect them with WhereScape 3D. The sources can be rapidly assessed, with  automatic generation of full documentation. This is particularly critical if your documentation  is out of date or incomplete, as such defects can be flagged for your rectification. 


WhereScape 3D enables you to analyze source data, providing visibility at the table and  column level, identifying and tagging those fields that contain relevant personal data. In cases where the field names are not obvious or there are fields whose purpose is not understood,  inspection and rectification is essential for GDPR compliance. WhereScape 3D can help you  assess the impact of changes in source systems throughout your data lifecycle, enabling you  to identify the impact of making changes as you become GDPR compliant. 


WhereScape RED will ensure you have the data in a readily accessible environment to service  the request. Extracting the data from the data structure for presenting to the data subject  can be done with readily available tools and interfaces in a standard database environment. 

Business Process and Data Management 

Data must be collected for specified, explicit and legitimate purposes. It should be relevant  and limited to the precise reason for which it is collected. The data must be processed legally,  fairly and with transparency. It must not be processed in an automated manner that profiles  the subject, which produces legal effects concerning them or similarly significantly affects  him or her.  

This is about the minimization of data collected. In the past, small amounts of data collected  for relevant business purposes have been used to create a profile based on corresponding  assumptions. This algorithm can build a personality type, to a surprisingly high degree of  accuracy, that can be marketed to accordingly for purposes that sit outside the reasons the  original data was collected.  

After GDPR comes into play, you will no longer be able to claim ignorance of the automated  processes and algorithms employed to process data. Automation has matured, and you must  be fully aware of what is being done with specific data strands within your organization  that form part of automated processes. In short, a full audit trail is essential, and collected  nuggets of data collected with permission must be kept in isolation, not to form a basis from  which to build profiles of their subjects. 

As well as helping you to use automated processes to better control how data is gathered  and manipulated in the future, WhereScape can alert you to the potential non-compliant  GDPR data you currently have and should address to avoid penalties.  

Take Control of Automation

The first step is to use WhereScape 3D to discover exactly which data streams are being  fed into automated workflows, and to decide whether you can justify (a) why this data is  processed in the first place, and (b) what actions you are then taking on it. For instance, is it  being sold to third parties? Is it being used to form the basis of a profile from which you can  assume facts or data that haven’t been specifically collected, proven to be true, or given with  permission? Both could incur heavy penalties under GDPR rulings. 

Label Data Sources 

An internal audit in this way can help you label and profile all data sources, where they come  from and how they are being used. Being able to justify why you collect each data flow, and  show that any automated flows it is used in doesn’t distort or change its purpose for initial  storage will help you organization to answer any GDPR related inquiries.  

User Access Control and Data Security

User access must be controlled, monitoring must be performed, and alerts provided for  breaches and encryption used where appropriate. 

You must know who is able to access your data and what they are doing with it. Ignorance is  no longer an excuse! It is up to you to control access to and encrypt all data your company  holds. If you make the necessary security precautions but your data is still accessed illegally,  you must have precautions in place that will alert you of this immediately so you can prove  you are aware and acting upon the breach in good time. 

Most data these days is on-premises and cloud storage of course, but this section of the  regulations also applies to portable data sources such as memory sticks, CDs and access to  laptops. Think of the various times when the news has reported laptops containing sensitive  information left in the back of taxis! 

While human error often cannot be accounted for, the company responsible for the collection  and ownership of the data must have a security strategy in place to protect data wherever  possible, and ensure these precautions are clearly communicated to staff. For instance, a  work laptop password must be changed every month etc. 

Identify Relevant Data and Systems 

WhereScape 3D can help by performing a retrospective audit to ensure uniform, rigorous  measures are in place to protect data and avoid future fines. 

Build Secure Data Ecosystems 

WhereScape RED can rapidly build data marts and warehouses that comply with the  security demands of GDPR. Automated code generation to strict best practices ensures data  structures are secure, with controlled user access and alerts in case a breach should occur.