The General Data Protection Regulation (GDPR) can be hard to understand. For customer data compliance professionals, Tableau GDPR compliance can appear overwhelming and complex to the uninitiated. Yet, unfortunately, it has become essential to ensure diligent compliance.
We all know that GDPR applies to businesses handling the personal data of European citizens. It contains transparent data practices, robust security, and strict consent processes. Tableau software can be a valuable tool for data visualization for deciphering GDPR complexities about your customer data.
Table of Contents
Vital Elements of Tableau GDPR Compliance
So, what are the critical parts of GDPR? They are:
- Strengthened Privacy Rights of Individuals
- Increased Responsibility of Protection for Personal Data For Companies
- Mandatory Reporting for Breaches of Personal Data
- Rules for Transfer of Personal Data Outside of the EU
- Right to Request the Removal of Personal Data
GDPR Penalties and Navigating the Tableau GDPR Compliance Landscape
The core value of GDPR is to empower individuals by giving them control over their data. This rightfully pushes companies to rethink their customer data-handling strategies. It also encourages them to safeguard individuals’ privacy actively, however costly. From consent management to data breach notifications, GDPR presents companies with a demanding yet necessary compliance framework.
The implications of non-compliance can be pretty significant for a company, and if enforced, will cost them dearly:
Non-compliance with GDPR can lead to astronomical penalties. This real threat to businesses is reaching up to 4% of annual global turnover or about €20 million.
Financial fallout coupled with reputational damage can cripple even the most established entities. This risk can be mitigated with Tableau GDPR compliance.
The Crucial Connection: Customer Data Handling and Visualization
Data management challenges in achieving GDPR compliance can be complex but are achievable with the right tools, such as Tableau.
Tableau can convert complex customer datasets into simple visual narratives. It can untangle customer and marketing data and also aid in identifying areas of potential GDPR non-compliance. For example, using Tableau, your company’s compliance analysts can quickly identify names, addresses, phone numbers and emails in different data sets. They can ensure these data sets are flagged appropriately for GDPR compliance.
Risk of GDPR Non-Compliance When Using Tableau
Tableau is a fantastic data analytics tool in which data analysts and end users can quickly connect to data sources and gain swift data insights. However, when viewed through a GDPR lens, we see issues with this method. If Tableau users connect to data sources, replicate data sources as extracts, and generally share personal data in dashboards internally or externally, this would be against the principles of GDPR.
Examples of Identifying High-Risk Personal Identifiable Data For GDPR
Personally identifiable data is of primary concern for GDPR. This is the customer data, which is at the crux of GDPR. When creating Tableau dashboards and visualizations,
- Primary Identifiers: Names, addresses, phone numbers, email addresses, social media handles, and IP addresses.
- Biographical Information: Birthdates, ages, gender, marital status, and nationality.
- Financial Information: Bank account numbers, credit card numbers, income information, and financial transactions.
- Health Information: Medical history, health records, and information about disabilities.
- Location Data: GPS data, location history, and geolocation information.
- Online Identifiers: Cookies, device IDs, and other online tracking data can be used to identify an individual’s online activities.
- Biometric Data: Fingerprints, facial recognition data, and other biometric identifiers. It is not so relevant to Tableau as it is not Tabular data.
- Employment Information: Job titles, employment history, and work-related contact information.
- Cultural or Social Information: Preferences, interests, affiliations, and memberships.
- Photos and Videos: Visual representations that can identify individuals. Again, it is not so relevant to Tableau as it is not tabular data.
Given that Tableau uses tabular data, we can ignore biometric data, videos, photos, etc.
Where is Personally Identifiable Data Stored While Using Tableau?
Different methods of connecting to data sources in Tableau will yield different outcomes in terms of GDPR. Below are some of the possibilities to consider.
Connecting to Data Sources Using Live Connections with Tableau.
Data sources (e.g. files, databases) to which you connect live to Tableau all may contain personal data subject to the GDPR. The data has not moved anywhere when Tableau connects directly to your data source using a live connection. Your company is responsible for identifying personal data within your company data sources. If a Tableau live connection is used, Tableau references the data source in another location rather than storing it. Even though the data is not moved, we should consider the access to the data via the live connection. For example, the dashboard with live data connections should only be accessed by those authorised to access the underlying data. When a live link is in a local Tableau dashboard, the user is prompted to enter the user name and password.
When the Tableau dashboard is deployed to the Tableau server, the database credentials are embedded in the dashboard. If a user were to look at the dashboard with the embedded connection, they would see all of the data that they can see in the data source. Now, given the user can access all data through the dashboard, they may be able to extract personally identifiable data through the dashboards themselves. They can download the data as an image, data, crosstab, PDF, PowerPoint or Tableau workbooks.
We cannot have users downloading personal data as this may contribute to the risk of a data breach. Luckily, Tableau has a robust permissions framework in which the permissions can be controlled at a user and role level.
We can prevent users from downloading personal data from connected dashboards via live data sources.
Extracting Data with Tableau Data Extracts
Analysts often use Tableau data extracts, which are more performant and optimized than directly connecting to data sources.
If your company chooses to extract data from a data source into a Tableau- format, then that customer data will also reside in a Tableau data extract (.hyper or .tde file) on either the local version (Tableau desktop) or in the cloud solutions (Tableau Server, Tableau Online, or Tableau Public). You should not put customer data publicly on Tableau as it will be publicly accessible. That would be not good.
For Tableau Online, this is determined by the hosting region you select for your Tableau Online site. So, if you want to support multiple areas, you’ll need various locations for the setup.
For the Tableau server, where the extract is located will depend on the physical location of your Tableau server.
Tableau Product and Intermediary Data Outputs
Tableau Prep can produce Tableau data extract files (.hyper or .tde) or comma-separated value (.csv) files as output. If the data source in a flow contains personal data, these output files may also contain personally identifiable data. Also note that Tableau packaged workbook (.twbx), Tableau packaged data source (.tdsx), and Tableau Prep packaged flow (.tflx) files can contain copies of file-based data sources and extract files that may contain personal data. Care must be taken to where these output files are saved. Generally, these will exist as a byproduct of analyst work. Depending on your organization’s infrastructure, these could live locally (e.g. analyst laptops) or in the cloud (shared file system, desktop on demand, etc.). When an analyst finishes a project, care should be taken to clean up any extracts to minimise data leakage risks.
Data Caching with Tableau Products
Tableau Desktop, Tableau Server, Tableau Online, and Tableau Public also employ data caching techniques to optimize performance. These caches temporarily store data from data source queries in memory or disk. Tableau Desktop stores cached results in the workbook (.twb) and packaged workbook (.twbx) files and in a query cache. Tableau Desktop users can clear this query cache. Tableau Server administrators have some control of this caching behaviour and the ability to clear the cache. For Tableau Desktop, Tableau Server, Tableau Online, and Tableau Public, you are the controller of personal data found in your data sources. For Tableau Online and Tableau Public, Tableau is the processor of this personal data.
Other Personally Identifiable Data in Tableau User Accounts
Tableau Server, Tableau Online, and Tableau Public user accounts also contain personal data subject to GDPR. This data includes name, email address, location, and IP address and is stored in an internal PostgreSQL database.
How to Use Tableau to Help with GDPR Best Practices
Tableau and Tracking Customer Consent
Establishing granular consent tracking through visual insights Tableau’s dashboards can visualize consent patterns. It can help track who has consented to what type of data usage. This nuanced understanding ensures alignment with GDPR‘s consent prerequisites. A dashboard showing granular consent tracking also shows your commitment to GDPR if you are subject to an audit.
Minimizing Data Exposure with Tableau
Reducing personally identifiable information (PII) exposure is also crucial to GDPR. Using visualizing data subsets containing personally identifiable information can reduce the instance. Organizations can then assess the scope of PII exposure. Tableau’s visualizations can aid in curating data presentations. Then, it can exclude sensitive information while retaining relevance.
Dynamic anonymization techniques in data presentation are also a great tool. Tableau can make the data anonymous. This allows analysts to interact with information without accessing sensitive details directly. This not only safeguards privacy but also expedites the analysis process.
One solution is to create anonymized columns in the database. For example, name, address, etc., could all have an anonymised counterpart.
When connecting to the data source from the dashboard, we only select the anonymised columns using custom SQL. The reason we do this is that we will anonymize the data without losing its underlying meaning within the data. While not seeing human-readable names, users can still see the relationships in the data. This method also ensures data is not replicated in data extracts and minimizes the risk of data breaches.
Monitoring and Auditing Using Tableau
Real-time dashboards are a critical part of GDPR. Tableau’s real-time monitoring capabilities provide a continuous pulse on data access patterns. This enables the timely identification of GDPR infractions.
Visual representations of data can succinctly exhibit compliance measures. The data handling procedures and breach response plans can be readily displayed. This expedites the audit process while demonstrating a commitment to transparency.
Again, it is better to constantly manage risk with specific GDPR-focused dashboards than to consider this in hindsight after a data breach.
Creating Privacy-Centric Data Culture with Tableau
Fostering awareness and accountability among data handlers is helpful. Tableau’s intuitive visualizations can serve as training tools for this. It acquaints employees with GDPR‘s nuances, cultivating a privacy-centric mindset.
Utilizing dashboards for communication of privacy standards goes along with this. Privacy policies and compliance standards are better absorbed when translated into visual dashboards. Tableau aids in simplifying the communication of complex privacy guidelines.
Future-proofing Compliance Efforts with Tableau
Evolving GDPR and the role of visualization can be hard to keep up with. As GDPR develops, embracing advanced visualization tools becomes pivotal. The dynamic nature of compliance needs tools that can quickly adapt to new requirements.
Anticipating challenges and adapting to advanced data tools is the way forward. Challenges in data privacy are bound to persist. Tableau’s capacity to integrate with evolving data technologies is of great benefit. Positioning organizations not just to meet but exceed future compliance expectations.