GDPR Forcing Organizations to View Data Strategically
The upcoming GDPR regulations require enterprises to consider three basic questions about their data. Here's how you can be ready with the answers.
- By Olivier Van Hoof
- November 14, 2017
Without question, data makes the global economy go 'round, yet the vast volume of data we've created at such a staggering and ever-increasing pace has been difficult to control. The digital age has forced us to re-evaluate traditional notions of how we manage data and to create a new set of data regulations.
Among the most significant of these new rules is the General Data Protection Regulation (GDPR), ratified by The European Commission in April 2016. The GDPR is a broad regulation that addresses how organizations capture, control, and process personal information. It is a clear recognition that we need to protect the rights of citizens whose data powers our economy.
The EU has determined that responsibility for these protections sits squarely on the shoulders of the organizations that collect the data. Until recently, many global organizations assumed the regulation only applied to EU-based businesses. However, GDPR applies to any company inside or outside the European Union that offers goods and services to European residents. Any organization that conducts business in the EU and collects personal data must comply with this regulation.
Proving Compliance
The GDPR should not be taken lightly. Organizations are expected to be 100 percent compliant beginning in May 2018 or face significant fines (as much as 2 to 4 percent of global revenues). Many organizations that have been caught flat-footed by the data tsunami are using the GDPR to initiate board-level conversations critical to jumpstarting their holistic data protection strategies.
Among the biggest obstacles to modernizing an organization's data practices and processes are securing the budget and obtaining stakeholder buy-in. However, the urgency of GDPR compliance is helping to move these critical conversations forward.
With a data protection budget in place, the first step is to understand the data in your platforms. To ensure GDPR compliance, an organization must be able to answer three crucial questions and show proof to substantiate the answers:
- Where is my data?
- Who is responsible for that data?
- How and why am I processing that data?
How to Get Started
How should your organization start preparing its answers to these questions? Establishing a good governance program gives a clear picture of the data landscape and helps you explain where your data is. It becomes easier to see what data your organization has and who owns it (which helps you explain data responsibility).
Ensuring every bit of data is assigned to an individual or team is the starting point in establishing accurate, trustworthy, and accessible data. Accountability is a key driver for any governance program; it is only when people are accountable for the data that you achieve success in a data-driven world.
Data governance is an essential part of overall data security. It provides a framework for managing and defining enterprisewide policies, business rules, and data assets to provide the necessary level of data protection and quality. This is crucial in meeting specific requirements of the GDPR, such as "Privacy by Design," which states that protection of personal data must become part of your organization's DNA. Whether you are implementing a new system or a new product or entering a new market, it's important to consider the impact on personal data and ensure you remain compliant with GDPR.
Understanding the processes that involve personally identifiable data is key to the success of any organization's GDPR program. GDPR explicitly requires organizations to build a clear registry of data activities and contextualize that within the regulation (for example, identifying the purpose of the activity, its legitimacy, the type of data, and the type of individuals).
Building and maintaining this registry is strictly a business task and cannot be outsourced to IT alone. It requires organizations to reach across their business to understand what data processes are in place, understand where personally identifiable data is used, and link those processes to the existing data items in their data dictionaries.
Having this process in place will make it easier to report on data, a critical requirement of regulators. When you can find data and understand it, you can easily provide the evidence regulators need to determine if your organization is GDPR-compliant.
Final Thoughts
The GDPR compels us to acknowledge that data is everybody's business. Although IT can provide the necessary infrastructure and technical tools, it alone cannot be responsible for the context, ownership, and strategy surrounding data. The business users are the people who understand the data and its value; therefore, they should be active participants in your long-term data strategy.
The looming GDPR deadline and the consequences of noncompliance have pushed organizations to reconsider their approach to data, creating long-term strategies founded on data governance and becoming strategically data-driven organizations.
About the Author
Olivier Van Hoof is a manager at Collibra. During his career, Van Hoof has led a variety of large-scale projects within the financial services industry at Bank of New York, ABN Amro, and HSBC, among others, with a focus on regulatory reporting, stress testing, asset management, compliance, and data governance. You can reach the author at [email protected], via Twitter, or at LinkedIn.