Data Governance and GDPR: How the Most Comprehensive Data Regulation in the World Will Affect Your Business
Because if your organisation exists within the European Union (EU) or trades with the EU, the General Data Protection Regulation (GDPR) will affect your operations.
Despite this fact, only 6% of organizations say they are “completely prepared” ahead of the mandate’s May 25 effective date, according to the 2018 State of Data Governance Report.
Perhaps some solace can be found in that 39% of those surveyed for the report indicate they are “somewhat prepared,” with 27% starting preparations.
But 11% indicate they are “not prepared at all,” and the most damning of revelations is that 17% of organisations believe GDPR does not affect them.
I’m afraid these folks and their organisations are misguided because any company in any industry is within GDPR’s reach. Even if only one EU citizen’s data is included within an organisation’s database(s), compliance is mandatory.
So it’s important for organisations to understand exactly what they need to do before the deadline and the potential fines of up to €20 million or 4% of annual turnover, whichever is greater.
Personally Identifiable Information (PII)
According to the GDPR directive, personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.
Personal data also comes in many forms and extends to the combination of different data elements that individually are not PII but contribute to PII status when consolidated.
Active Consent, Data Processing and the Right to Be Forgotten
GDPR also strengthens the conditions for consent, which must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Data subjects also have the right to obtain confirmation as to whether their personal data is being processed, where and for what purpose. The data controller must provide a copy of said personal data in an electronic format – free of charge. This change is a dramatic shift in data transparency and consumer empowerment.
The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
Documenting Compliance and Data Breaches
GDPR also looks to curb data breaches that have become more extensive and frequent in recent years. Data’s value has sky-rocketed, making data-driven businesses targets of cyber threats.
Organizations must document what data they have, where it resides, the controls in place to protect it, and the measures that will be taken to address mistakes/breaches. In fact, data breach notification is mandatory within 72 hours if that breach is likely to “result in risk for the rights and freedoms of individuals.”
Data Governance and GDPR: Putting Data Governance to Work
Based on the results of the State of DG Report referenced at the beginning of this post, organisations aren’t as GDPR-ready as they should be. But there’s still time to act.
Data governance and GDPR go hand in hand. A strong data governance program is critical to the data visibility and categorisation needed for GDPR compliance. And it will help in assessing and prioritising data risks and enable easier verification of compliance with GDPR auditors.
Data governance enables an organisation to discover, understand, govern and socialise its data assets – not just within IT but across the entire organisation. Not only does it encompass data’s current iteration but also its entire lineage and connections through the data ecosystem.
Understanding data lineage is absolutely necessary in the context of GDPR. Take the right to be forgotten, for example. Such compliance requires an organisation to locate all an individual’s PII and any information that can be cross-referenced with other data points to become PII.
With the right data governance approach and supporting technology, organisations can ensure GDPR compliance with their current, as-is architecture and data assets – and ensure new data sources and/or changes to the to-be architecture incorporate the appropriate controls.
Stakeholders across the enterprise need to be GDPR aware and enabled so that compliance is built in, cultural.
For more information about increasing your expertise in relation to data governance and GDPR, get our new white paper.