The General Data Protection Regulation (GDPR), other than the name suggests, is not just about protecting data. It is about protecting the personal privacy of European citizens, both in the analog and digital world.
There are revisions to the GDPR, under Data Protection Directive 95/46/EC, which come into effect after May 25, 2018. These do not have major implications for those enterprises who are already compliant with the national regulations. The companies that will be worst affected under the revised GDPR, are the ones that currently are non-compliant. For them this is a real game changer. They face the reality of fines into the millions of Euros, as opposed to the smaller sums, if any, today. In fact, there has already been such a victim under the GDPR sanctions. UK based Sigue Global Service Ltd. was subjected to a fine recently of 11m € by the Italian data protection authority. This highlights the urgency for organizations to understand the regulations and act.
Another major change to the GDPR to be aware of, is that the regulation is now applicable to all companies offering products or services within the EU, regardless of where their headquarters are based. This means that if a company has a website accessible from Europe; describing its services in multiple (European) languages and offering country specific subpages, or showing prices in European currencies, this counts as "offering services." The GDPR applies to all these organizations, which realistically can impact most international companies.
The regulation distinguishes between small enterprises (below 250 employees) and ‘regular’ enterprises. In the case of the smaller enterprises, not all the GDPR requirements apply, such as the requirement to appoint a dedicated Data Privacy Officer; but where a data breach arises, or a complaint is brought against them, they will still be subject to the same fines as the larger organizations. So even if your company has fewer than 250 employees, you need to be GDPR compliant and have the appropriate measures in place.
Data Governance is a system to control the creation, maintenance, usage, distribution and deletion of data within a company. Data Governance encompasses People, Processes, Policies and Technology, so it extends or establishes business processes for structured creation, usage, and deletion of data.
This means that the capabilities of a Data Governance system can fulfill most of the GDPR requirements:
- Principles of processing of personal data (paragraph 5): Data Economy, Data Avoidance, Data Quality, and Process Transparency
- Accountability (Article 5(2))
- Right of Access (Article 15)
- Data Portability (Article 20)
- Processing via Processor Contracts (Article 28)
- Records of Processing Activities (Article 30)
- Data Protection Impact Assessment (Article 35)
- Prior Consultation (Article 36)
The role and responsibilities of the Data Protection Officer and a Data Steward are pretty much the same. Both should establish the parameters of the business processes by setting policies and should jointly define with the business, the process of how data is collected and used. Technology is key to enforce these policies, the derived rules, and to constantly monitor the data stored in the IT systems.
In summary, while Data Governance hasn’t traditionally attracted visibility at C-Level unless compelling events have raised its profile, the implementation of GDPR and the requirement for a change management project, will make companies revisit how they work with their (PI) data. The legal remit and implications will significantly raise the profile and importance of data and this is the perfect driver for a data governance initiative and a pilot project to understand the value it brings.
My next GDPR blog installment in this series will focus on the details of the new GDPR requirements.