Chances and Challenges of GDPR – what is GDPR?
The General Data Protection Regulation (GDPR) is a binding regulation created by the European Commission. The regulation is replacing current European Union data protection directives and diverse national laws.
By 25th of May 2018, the affected businesses will have to comply with several new requirements in relation to personal data collection and processing. The GDPR aims to strengthen the control and protection of personal data by defining more strict rules and obligations for organizations using the data. This is an important change with an according impact, since personal data in our modern digital world is vital to the global economy.
Which organizations does it affect and what is the scope?
The GDPR should strengthen each person’s right of data protection and – in the longer run – simplify processes around operations based on this data for organizations. It is also introduced to harmonize existing – and very different – national laws on this matter across the EU. Hence for international organizations it will make compliancy easier in the long run.
From my personal experience having worked on other data protection & compliancy activities across Europe this could be a benefit and especially companies, who do already comply with the stronger regulations – e.g. in Germany – have a good starting position.
GDPR applies to all organizations that are established in the EU and to companies outside the EU, which are processing personal data of European Union citizens. Processing in this case is a broad summary of different aspects like collecting, recording, storing, using, etc.
A very important point with regards to the scope of the directive is, that employee data is also considered as personal data and falls under the same requirements.
The right questions to ask
Do you already know, whether your organization is a data controller and/or a data processor?
It takes one question to answer: Is someone else telling you which data to collect and how to process it? Yes – then you are a data processor.
If you determine collection and processing for yourself, then you are a data controller and ultimately responsible for the information you store and use. In this case, you need to fully comply with the GDPR requirements. In addition you have to ensure that also your business partners processing data on your behalf do comply.
For data processors, there are new regulations as well – mainly regarding the documentation of all data processing activities and the need to provide it to authorities, if requested. Also breaches or risk of data loss need to be reported to your data controller.
Organizational Impact
GDPR introduces new rules and requirements covering various areas such as transparency, breach disclosure, privacy impact assessments and how organizations obtain consent to use personal data.
More than a technical challenge, compliancy will be a cross-functional effort for organizations. Different departments like IT, Marketing, Sales, HR,… that process customer data or share it with external business partners need to have a clear view on data flows and ownership – who is the data controller and who is the processor? This could be a first challenge for grown organizations with a history of mergers & acquisitions, legacy system migrations, data exchange with existing and former partners, etc.
A first step to more clarity is a structured and corporate wide assessment of existing systems, processes and interfaces with business partners. Get the picture clear, before jumping into actions.
Data Governance
With data at the core of today’s business operations, the processing needs to be prioritized. Structured and semi-structured data in various databases and transactional systems is often not centrally governed but controlled and managed by different tools and software. Another big concern comes with those data collections, which are stored or archived somewhere for later. Every company has its hidden data store, where information is kept, because it could be interesting in the future. But nobody really knows nature and content of this information anymore.
A strict data governance strategy and process – system-independent – will increase clarity and control. Data management, policies and processes will need to be reviewed, changed and documented. New processes need to be introduced according to new rights given to individuals with regards to their data.
New rights of individuals
Individuals will gain new rights by the GDPR, which will require new processes and technical capabilities. Five of the most important requirements are:
- Erasure – Deletion and proof of deletion of all data if requested
- Consent – The collection and purpose of data usage can be limited to selected processes only
- Adjustment – Individuals can request incomplete data to be completed
- Data access – Right to know which data is being processed and how.
- Portability – Personal data must transmittable from one organization to another
Applying processes to cover these new requirements as data is collected or created in real time is a challenge and as mentioned above even more challenging in combination with legacy data just kept, migrated, archived or even ingested into a Big Data engine used for advanced analytics.
Chances of GDPR
Compliancy with new rules regarding data breach notification and new rights for consumers can be seen as a challenge for organizations. Forward thinking organizations can also handle this as opportunity to embrace the new requirements to overcome department silos and legacy data issues. They can gain competitive advantages by streamlining end-to-end processes and by applying a holistic view on information governance.
With more visibility on data – one of the major business assets – the information value can be improved and integrated solutions to automate data processing workflows can facilitate a proactive information management.
A changed mindset and attitude of how to use systems and data will allow employees to become stewards of corporate information and promote a culture where governed and reliable data is seen as fuel to success of the organization. Understanding the role and importance of Information Management and Governance in data privacy will be a key success factor.
Do you like to learn more about our view on GDPR compliant information management and data governance? Get in contact with us for more details and a coffee.