Master Data Screening: Get Your Master Data GDPR-Compliant

Corporate Master Data Contains Lots of Personally Identifiable Information

In many cases, companies' vendor or customer master data often unnoticeably contains ample personal data. If business partner data that contains natural persons remains unrecognized, GDPR-compliant processing of that information is impossible. Simultaneously, the risk of possible fines and the possibility of damaging the company image increases.

Manual Identification of Personal Data is Exhausting

However, manual identification of questionable data records is not easy and requires a high level of personnel resources:

  • Names containing legal forms are clear indicators of a company. But who knows all abbreviations of all legal forms worldwide?
  • Typical first and last names are clear indicators of natural persons, especially if a legal form is missing. But who knows all typical names from all countries?
  • In some countries, there is a tax number that identifies a natural person by a particular character at a particular spot. But who knows all these rules? And even if so, who has the time to manually check all business partner data?

Your MDM Compliance Expert

David Giesinger
Head of Sales Management

With more than 10 years of experience in data management, David is your trusted expert contact for the identification of personally identifiable information within your company's customer and supplier master data.

Identification of Personally Identifiable Information with the Help of AI

Our AI-based service provides quick and simple help in identifying personal data that is unintentionally hidden in your business partner master data. We analyze your data records and mark all entries found with personal data — and we do that for a fixed price per screening for your entire customer and vendor base.

We Protect Your Data in the Best Possible Way!

Data ProtectionAll data we receive is protected through up-to-date protocols and encryption mechanisms. The entire CDQ Cloud infrastructure is provided on Amazon Web Service (AWS) servers in the European Union (Frankfurt, Germany and Dublin, Ireland) to comply with EU data privacy regulation.

All data uploaded into the CDQ Cloud as well as analysis results are stored in individual databases per customer, and users can choose to delete. If a user chooses to delete its data, all data will be deleted, and no data is cached or withheld. Updates which are disclosed for sharing with other community peers are processed and stored separately and do not have any backlink to a user.

Do you still have questions about the protection of your business partner data in the CDQ Cloud? We will be happy to answer your questions in a personal interview - just contact us!

Questions about Data protection?

FAQ: Frequently Asked Questions & Answers

For the GDPR-compliance screening, send us a file with the datasets of the customer master data and vendor master data of your choice. Whether 10,000 or 200,000 data records, we quickly and reliably review your data and find identifiable personal data that is hidden in your business partner master data. On the basis of this analysis, the entries found can then be cleaned up or provided with a special marking in your ERP system.

We enter into a contract with you for "data processing agreements" and ensure the complete deletion of all data after completion of the project. Your data is stored with us under encryption and protected from access by third parties.

According to Article 4 (1) (1) of the General Data Protection Regulation (GDPR), personal data is all information "relating to an identified or identifiable natural person". Even names of partnerships or freelancers can, therefore, be subjected to special due diligence during processing.

Unfortunately, in practice it is often the case that, in the fields for the company name of the customer and vendor data, personal data is stored without being noticed or particularly indicated. This can be due to various reasons:

  • Customers and/or vendors work on their own account and thus, appear with their own name (e.g. freelancers, physicians, e.g. "Hans Mustermann SP").
  • Customers and/or vendors are natural persons (especially if you work in the B2C area) and have not been marked as such.
  • The data was not properly maintained and instead of the company name "Mustermann LLC", the name "Company, Hans Mustermann" was stored in the data field. It is also common that the name of the contact person is accidentally stored in the "Company" data field. A typical example of this is "Mustermann Inc. attn: Hans Mustermann".

Many of our customers have stored hundreds or thousands of data records containing personal data in their systems, without knowing it. And thus, they have no chance to process this data in compliance with the GDPR.

Here, the first important step is to identify potential entries containing data from natural persons. You can include this step as a safeguard taken for TOM (technical and organizational measures) in order to ensure secure processing in compliance with the General Data Protection Regulation.

In addition, you can also use the GDPR Screening to check if your previous methods are effective.

According to Article 4 (1) (1) of the General Data Protection Regulation, all information "relating to an identified or identifiable natural person" is personal data and is, therefore, subject to the provisions of the GDPR. This also applies to stored first and last names of customers or vendors.

We use new technologies in GDPR Master Data Screening. Your data sets are checked by the CDQ Cloud Engine with the help of artificial intelligence (AI) through a self-learning algorithm ("machine learning"). We've trained the algorithm for a long time and with a variety of data so that it can identify natural persons across multiple countries.

To manually represent this work, you will need people with a lot of time and international expertise to identify natural people in a variety of languages, such as Chinese or Portuguese. Our algorithm provides a 90% correct assignment of natural persons worldwide, meaning that less than 10% are later found to be a company.

If personal data is detected in the analyzed data records, these options are available for further use:

  1. When it comes to data of natural persons that you must continue to use in this form in the system, we strongly recommend that you mark them in your ERP accordingly (for example with the "natural person flag"). Depending on the system, there are various ways to store this.

    In the SAP environment, this is done i.a. through the Business Partner Category. The NATPERS or NAPR field (meaning Business Partner Is a Natural Person Under the Tax Laws). It is only possible for companies to act in compliance with the GDPR if your data records are clearly marked as the data of natural persons.

  2. If it involves data that is incorrectly maintained, e.g., if a contact person is stored in the field for the company name, we recommend that you clean up these entries and delete the personal data from the data field.

    If you need assistance with the subsequent data cleansing, simply contact us (contact).

Here you will find current research results on GDPR for Data Managers (in English).

Send us the data as a CSV or Excel file with the names, country codes and identification numbers (for example, tax numbers) of your customer and vendor data. To ensure a secure transfer, we will gladly provide you with a separate upload account.

You will receive the results of the data analysis from us within 5 working days, at the latest; we are often even faster.

Personal Data is the Focus of the GDPR

Within the EU, personal data has received special protection since the introduction of the General Data Protection Regulation (GDPR) in May 2018. Personal data is information that can be clearly associated with a specific person, such as names, birth dates or other attributes that directly refer to an identifiable natural person. This also applies to your vendor and customer data. Even the address of a customer or vendor can be classified as "personal". Therefore, all data records that do not clearly represent a legal entity should be labeled, separately verified and, in case of doubt, classified as "personal". In a GDPR audit, companies must at least demonstrate that such "technical and organizational measures" (TOMs) are carried out regularly and systematically.

Master data sets that unnoticeably contain sensitive entries such as personal data cannot be processed in a privacy-compliant manner within the EU. This increases the risk of a high fine and lasting damage to the company image.

CDQ specializes in the AI-based identification of personal data that is unintentionally hidden in business partner master data. Our screening service helps to reliably detect and tag sensitive information, minimizing the potential threat of a GDPR violation. Get your corporate master data GDPR-compliant and contact us now!

Request a Callback!

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
5 + 0 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.

Data Management for Data Protection (GDPR)

The CC CDQ research team provides a data-centric view on data protection regulatory requirements throughout the data lifecycle. Data Management for Data Protection

Data Quality Tools

CDQ's cloud-based Data Quality Tools enable fast and reliable analyses, validation and enrichment of your business partner master data. Request your personal demo now! Data Quality Tools for better business partner data

Data Sharing for Better GDPR-Compliance

The members of our Data Sharing Community share data quality rules, data sources, and peer-validated records to achieve the best possible GDPR-compliance. Data Sharing for GDPR-compliant customer & vendor data
Go to top