Are you in compliance yet? Read these frequently asked questions about GDPR to ensure your enterprise is on the right track.
- By Philip Russom
- June 1, 2018
The General Data Protection Regulation (GDPR) from the European Union (EU) is now in force. However, few non-EU organizations have done much about it. Check this list of frequently asked questions to kick-start your understanding and your action.
What Is the GDPR?
The GDPR is a legal framework that sets guidelines for the collection and processing of personally identifiable information (PII) about individuals within the EU. Said guidelines were defined by and are now enforced by departments of the EU Parliament. The GDPR became enforceable on May 25, 2018.
Who Is Protected by the GDPR?
In the context of the GDPR, the term "individuals" usually means people who are citizens or residents of EU nations. Note that the GDPR does not protect other parties, such as companies, schools, and government agencies.
What Is the Purpose of the GDPR?
The GDPR updates rules about data privacy rights to keep pace with evolving data use and data technology in an increasingly global business environment, with a focus on how these impact the daily lives of EU individuals.
What Does the GDPR Mean to You and Your Organization?
The scope of the GDPR is global. It is a rewrite and expansion of older data protection regulations (DPRs). Prior DPRs governed data use only within the EU, whereas the current GDPR seeks to govern the PII of EU individuals worldwide. This means that even organizations based outside the EU must comply in terms of how they collect, store, secure, and use data about EU individuals.
Failure to comply can be costly. The EU may levy fines up to €20 million or 4 percent of an organization's global revenue.
Failure to comply can also impact your business. Customers and partners may leave or limit how much they spend with you if you are found to be noncompliant. They may see noncompliance as your inability to operate legally, serve them properly, respect their privacy, and secure data about them.
What Strategies Can Help You Achieve GDPR Compliance?
TDWI sees two broad categories of strategy for GDPR compliance:
- Data governance. Initiate or revise your organization's data governance policies. Apply the policies to business processes related to the capture, management, and usage of data about EU individuals. Governance (and related practices for stewardship or curation) should foster collaboration among business and technology staff so that data management work is aligned with business goals such as compliance.
Which Organizations Are Positioned for GDPR Success?
Preexisting programs and experience in certain areas tend to accelerate GDPR compliance. This includes compliance and governance programs (of any kind or level of maturity), experience with EU regulations and markets, and mature data management practices, teams, and data infrastructure.
How Can Your Enterprise Get Started with GDPR Compliance?
First, get people talking. Pull together a multifunctional steering committee to discuss GDPR and determine whether it demands action.
Begin with basic questions. Does the GDPR apply to us today? Will it in the future as we expand markets? If the answer to either question is yes, determine which data sets and business processes have the greatest risk exposure and who owns, manages, and controls them.
Focus on data and processes with the highest risk. Do existing compliance and data governance policies apply to EU PII? Do we need new or revised policies? Are there quick tweaks for data and processes we can complete in the short term? What is our strategy for the long term?
How Can Your Enterprise Sustain GDPR Compliance?
To do GDPR compliance right, build the right organizational structure. Ideally, existing committees or boards for compliance or governance should address the GDPR. If those don't exist, you may need to initiate such programs or an equivalent organizational structure before addressing the GDPR over the long term.
A high-placed, influential executive should lead your GDPR efforts. Success may demand a senior director, vice president, or other chief officer to wield a "big stick" to ensure that GDPR and other data compliance happens. TDWI has seen successful programs with two leaders, one each for business and technology.
GDPR compliance (like all governance and compliance) requires diverse people to collaborate. You should populate the GDPR organizational structure with a mix of experts from various business and technology functions at varying levels of management.
For example, middle managers (line-of-business managers and directors) should be involved -- they know the role of data in operations, business success, and compliance. Data stewards (businesspeople who own and protect data) make an excellent interface between business and technology people, thereby assuring alignment. Data management professionals -- from DataOps to data warehousing to data science -- know how to recognize and handle data that demands compliance. Finally, consult miscellaneous professionals -- especially from compliance, legal, public relations, sales, and marketing departments -- for the details of data usage and process compliance.
Philip Russom is director of TDWI Research for data management and oversees many of TDWI’s research-oriented publications, services, and events. He is a well-known figure in data warehousing and business intelligence, having published over 500 research reports, magazine articles, opinion columns, speeches, Webinars, and more. Before joining TDWI in 2005, Russom was an industry analyst covering BI at Forrester Research and Giga Information Group. He also ran his own business as an independent industry analyst and BI consultant and was a contributing editor with leading IT magazines. Before that, Russom worked in technical and marketing positions for various database vendors. You can reach him at firstname.lastname@example.org, @prussom on Twitter, and on LinkedIn at linkedin.com/in/philiprussom.