The General Data Protection Regulation (GDPR) is enforceable from 25th May 2018, and through it the EU is taking a giant step towards coherent and enforceable data privacy.
What is it?
GDPR replaces the EU directive, in force since 1998, which is a set of principles on data privacy & protection that member states implemented into local law, resulting in an assortment of laws across the EU. GDPR results in a single, harmonized approach that will be implemented across all member states. Given how technology has advanced since 1998, with the explosion of our Personally Identifiable Information (PII) now sitting in servers distributed far and wide, it is about time.
The directive works at different levels.
Firstly, it is clear, with base principles which are easy to understand for individuals as well as companies, such as:
- ‘Privacy by Design’ which deals with establishing principles to architect privacy into the engineering of a product or service.
- The right ‘to be forgotten’, allowing individuals to demand their personal data is erased, extending this right to include data published on the web.
- Applicability for organizations with no physical presence in the EU but who deal with EU citizens.
Secondly, remedy for breach is clear, severe, and enforceability seems easier. Organisations need to get to grips with implementation quick, because reputation and big revenue is on the line. Reputation through immediate breach notification (within 72 hours), including to individuals if the infringement is deemed serious enough, and revenue through fines of up to 4% of a company’s turnover.
Why is it needed?
I wonder how many times a week I give my full name, phone number, company, e-mail address, country of residence, etc to download a white paper, book a ticket or hotel, source an app. I am aware I am sharing too much data, scattering it indiscriminately across industry & continent, but I do it nonetheless. I am aware I click on the ‘I accept’ option for license agreements without due attention, so I can get on to the next task. I guess I am not alone in these behaviours.
Organisations know that structuring, connecting, tracking data to allow analysis and cognitive decision making is critical to their strategies – it is amongst the very top priorities. Data, our data, to allow understanding of our behaviours, is of premium importance and of high economic value – ‘the new oil’. And because it is important, it is often shared across departments, across group subsidiaries, and can become very difficult to track, making it more vulnerable to unwitting or criminal disclosure.
Kevin Kelly, in his excellent ‘The Inevitable’, says ‘We are morphing so fast that our ability to invent new things outpaces the rate we can civilize them’. GDPR will help us ‘civilize’ personal data ownership: we shared too much data too quickly, seduced by the possibilities from the digital revolution, and now GDPR will make sure organisations put the management and security of that data at the very heart of their operations.
Make no mistake, GDPR will trigger a massive change in the way enterprises currently handle their data. And, this will not merely be about data management or data security. Companies must institutionalize a next-generation data governance mechanism that will foster robust GDPR compliance, while being relevant and future proof to enable business transformation in the digital era.
Designing and implementing such a mechanism will entail significant time, effort and resources along with a revamp of organizations’ operating structures. Here are five things you must keep in mind as you undertake the GDPR compliance journey, and seek to roll out a strong next-generation data governance system.
5 Tips for GDPR Compliance
1. Information Audit and Categorization
The first step in embedding a robust data governance framework is a comprehensive audit of your existing data processes and the categorization of all PII across systems. In parallel, you should focus on effective metadata management, and elimination of data silos, with a view to fostering pan-enterprise information integration for increased operational efficiency.
2. Building Compliance across the Data Supply Chain
Post categorization of the data and processes, you need to identify if this data gets shared externally, and if so, to ensure compliance across the entire data supply chain. You will simultaneously have to ensure your data capture processes are updated for GDPR’s specific requirements, including explicit consent. Even as you reach out to your customers regarding explicit consent, you will need to think about purging and deleting data that is already stored in enterprise systems where consent is not possible or viable to obtain. Your redesigned data governance setup should be able to document all these activities as part of the data elements, in order to have an auditable trial of accountability.
3. Automated Data Management
GDPR also stipulates that customers should be able to request their data be deleted, updated or ported. This clause will mean your data management system should facilitate easy fetching, alteration, deletion and reporting of personal data. It is very important to ensure the system is capable of end-to- information lifecycle management, with built-in automation functionalities helping it smoothly handle the high volume of data change requests.
Another aspect of data management in ensuring regulatory alignment is to update your data for requirements such as lawful basis for processing personal data, data verification for parental consent for minors, inaccurate data, etc. These rules can be built in as part of your data quality management processes.
4. Data Security Management
Data breaches may be inevitable but are highly avoidable. Recognizing this fact, GDPR requires organizations to report breaches within 72 hours. It is the responsibility of the concerned entity to handle the breach and take remedial measures such as data deletion, anonymization, encryption, etc. The data governances system should also be able to effectively handle a breach by identifying affected data entities, flagging the same for resolution, managing the remediation, and so on.
5. Data Protection Impact Assessments (DPIA)
The DPIA clause of GDPR calls for privacy by design, which translates into a requirement for companies to audit, from a compliance standpoint, any new systems or information entering their existing data management systems. Implementing an effective metadata management process could come in handy on this front.
Making Data Management an Advantage through GDPR Compliance
The above steps will bring a deep rigour to how enterprises structure, orchestrate, track & secure data. By being forced to be able to easily locate, anonymise and report on personal data, enterprises have a real opportunity to get the 360° client view, with all the benefits that can bring to client responsiveness and engagement.
Compliance to GDPR is a business case that will, in our experience, show a very healthy return.