MDMs Do Not Solve Personal Data Privacy

<- Back to all Blogs
7 min Read  |  Published: Thu Sep 17 2020
Ever since the launch of the GDPR on May 25th 2018, Personal Data has become the world’s most important dataset – the same will be true of the world tomorrow. This generation’s legacy must have its foundations in the individual’s right to Privacy. As technologists, users and consumers, we understand the value of the services afforded to us – the importance of Big Data analytics carried out by businesses, governments and organizations. However, when we pause to ask ourselves whether or not we truly trust these entities with our personal data, the consensus is, and will continue to be, a resounding ‘no’. Statistics such as the following do little to ease concerns: in the years following 2013, approximately 4 million personal records have been breached every day, and in 2019 alone 15.1 billion records of personal data were exposed. This phenomenon continues to worsen and companies must stop to think how to prevent further damage of public trust.

Countries are implementing sweeping regulatory changes and companies find themselves facing both local and extra-territorial Data Privacy laws: as of two weeks ago, Ireland mandated Facebook to cease the shipping of its data back to the US. Europe’s GDPR, California’s CCPA and Brazil’s LGPD have shown themselves to be leaders of this pack. And yet as the number of global regulations grows continuously month-on-month, medium and large organisations will find themselves having to comply not just with one, but with all of these regulations. So how should businesses approach this complexity? First, we need to discuss the Pillars of Data.

Pillars of Data

The following diagram showcases some of the data systems and processes that exist within an organisation.

Customer data is collected across numerous customer touchpoints, both overtly and covertly. This data is processed by a multitude of systems, whether they be Identity Access Management Systems (IAM), Know Your Customer (KYC) processes, Anti Money Laundering (AML) processing, or the inevitable Billing, Marketing, Customer Relationship Management (CRM), Master Data Management (MDMs), and Customer DBs. Some of these systems will be built in-house, some may be outsourced. Data moves in and out of these systems constantly and companies will have multiple software services, including BI & Machine Learning platforms that will source data from these systems, often copying data to local systems in order to perform their tasks. The complexity of data processes is clear to see. When expanding the view across each and every 3rd party service that a business may engage with, the complexity grows and becomes extremely challenging at scale. Pre-regulation, organizations of all types were able to operate freely and with zero oversight and little concern. This is no longer the case and Regulators both local and overseas demand that organisations of all sizes rethink their use of Personal Data.

So how do organizations solve compliance with Privacy Regulations, improve Customer Experiences, automate processes to ensure correct and compliant Data Processing, safe in the knowledge that they can evidence the immutable proof of compliance across an ever-changing global landscape?

Some believe the solution to be an MDM – to centrally master all data, and have systems access an MDM to fulfil their data needs. However, an MDM’s goal is to master data and it is not designed to solve the issue of Privacy, nor provide a central privacy layer to ensure data is used correctly and compliantly.

An MDM’s goal is to master data, to have all systems and processes come to it for their data needs while also claiming granular permissions and bolted-on consent.

An MDM falls short for two very apparent reasons:

  1. As evidenced by Ireland vs Facebook, privacy laws and jurisdictional boundaries prevent data from being moved to centralised locations across borders for the purpose of processing. As such, a single MDM is a pure impossibility, and does nothing to address how data can move across borders. Instead they can lead to automatic data breaches by the very nature of what they do.
  2. Secondly, and even more importantly, Master data management does not prevent data from being copied. An organisation’s systems – IAM, CRM, Billing, Marketing, Data lakes for Machine Learning – all require data, and will continue to copy data for their respective needs. It is the copying, and re-copying of data that overtime leads to significant risk of data breaches and leaks.


In fact, these various systems store significantly more data than necessary. With the threat of fines and reputational damage posed by regulators, it’s time for organisations to start asking why. Why are we using MDMs for personal data when an MDM, with its approach to centralising data, puts a company in breach of almost any Personal Data Regulation that exists today?

A New Pillar of Data

Today’s increasingly complex, global data flows see data pushed to the Edge in many organisations – the advent of 5G will only see this further become the norm. Against a backdrop of increasing regulation, Customer’s Consents & Permissions must become the foundational layer of all data collected and used. Companies must ask themselves why they are processing data, and whether they have the right to do so?

Some may point to the fact that MDMs claim to have built-in consent, or refer to CRM or marketing platforms as having consent bolted-on, yet these are not the only systems that require consent & permissions. Indeed, in order to get a global view across all systems and databases, consents & permissions must become an independent, central and core pillar of the ecosystem. No business would trust a CRM with its core billing, or a Marketing Automation platform with its IAM – why should you trust an MDM, CRM, IAM, or Marketing solution to handle Consent & Permissions with what’s at stake – compliance with privacy regulations, fines, reputational damages and customer trust. Consents & Permissions are too important to be ‘bolted-on’, or to be considered a mere afterthought. Consents, Permissions and Privacy must be the first thought: without customer data there is no business, and with unpermissioned data the business is left severely exposed.

Personal data held by any company without the right consent or permissions is toxic. This simple mistake exposes organisations to business-breaking fines and irreparable brand damage.

Moreover, none of these solutions truly focus on the Data Minimization aspects of Big Data Analytics – that’s to say, Personal Data held by a company without the correct Consents or Permissions (or without the ability to audit and evidence Consents & Permissions) finds itself sitting on toxic data sets. This is in addition to the fact that third-party services (CRMs, MDMs, IAMs etc) themselves require a copy of your customer’s data to perform their tasks, thus leading to the proliferation of data, undermining data minimisation and further risking the security of the personal data held.

There is a better way to solve global privacy challenges while eliminating risk.

This requires a new way of thinking and a purpose-built solution that addresses the complexity of Personal Data in an ever-changing landscape. Trunomi is that solution: businesses use its rule-based Platform to create records of Consents and Permission, and gain a single view of all Data, Consents, Permissions and Attestations held across their entire systems, databases and partners.

Organisations can prove compliance with global regulations, generate new revenue streams, eliminate risk, and power business intelligence with powerful dashboards and reporting tools, while offering improved Customer Experiences founded on transparency and control provided to your customers via a fully integrated, branded ‘My Data’ Portal: This is where your customers can see all the data you hold on them, and the reasons and legal bases for holding and processing it. (We call it the relevant five: the who, what, where, why and when).

Customers can simply change their preferences, and opt-ins, outs are immediately reflected in the organisation’s records of processing, and can even inform downstream systems and databases to ensure data is always processed compliantly, and in the correct context. With Trunomi you can even automate DSR (Data Subject Requests), so when customers ask what data you are holding and why, Trunomi powers the automatic fulfilment of the DSRs.

At Trunomi we work with businesses around the world and across all verticals to solve Privacy, compliance, improve Customer Experiences, generate revenue, provide visibility and interoperability across the group, while automating Privacy workflows to save time, resources and eliminate risk. And most importantly, for the first time this can be achieved with absolutely zero-risk: Trunomi is uniquely placed as the world’s only Privacy solution to never see, store or process your organisation’s raw Personal Data.

Trunomi enables privacy-driven personal data flows in organizations as can be seen in the following diagram:

Read Also

Build Trust With Risk-Free Customer Data Management Platform

Build Trust With Risk-Free Customer Data Management Platform

In our data-led world, building trust is quickly becoming the most crucial component for business success. Trust with customers. Trust...
You Don’t Need Personal Data to Build a Personal Service

You Don’t Need Personal Data to Build a Personal Service

The arrival of Global Privacy regulation and its enterprise-wide implications means that businesses are building Privacy as a service, not...
The Commercial Potential of Enterprise Data Privacy

The Commercial Potential of Enterprise Data Privacy

Compliance with Data Privacy regulation is now a universal reality for businesses. It is rare today that a business is...