On Friday May 25th 2018, the General Data Protection Regulation (GDPR) came into effect. This new, sweeping regulation gives consumers control of how organisations use their personal data, requires opt-in consent, and makes it necessary for companies to remove their information from databases almost instantly if they ask for it – which presents enormous technical difficulties.
Businesses will no longer be able to claim ownership of customer data, instead they will be custodians of it. This fundamentally changes how a business handles this data.
Businesses will need to have complete transparency across all of their data ‘actions’ and provide this information to the consumer almost instantly.
The regulation applies if the Data Controller or Processor or the data subject (person) is based in the EU. Essentially, any company that does business in the EU, must be GDPR-compliant, regardless of Brexit.
The penalty for not complying can lead to fines of up to €20 million or 4% of global annual turnover.
If you haven’t looked at strategies for GDPR-compliance, you’re very much behind the curve because it represents a significant change in how data will be handled around the world.
Most of the legislation boils down to one simple thing — data governance. And by putting solid data governance practices in place, you’ll be well on your way to compliance.
Why data governance? Well, one of the most daunting things about the GDPR is that organisations already have accumulated massive amounts of data (some of it copied many times over and used in countless different information systems), and the regulations apply not just going forward, but retroactively as well.
The way many businesses today manage data (or rather … don’t manage it), a simple right to be forgotten request from an EU user — something with which you’ll have to comply under today’s GDPR — becomes extremely complicated and operationally disruptive. In other words, if you or your client’s underlying system is not built in such a way that you can trace specific pieces of data, for customer requests, audits etc., GDPR becomes exponentially more complicated. Fortunately, data governance holds a lot of the answers.
As many GDPR experts have rightly pointed out, becoming GDPR-compliant is both a matter of preparing your data /your client’s data, but also preparing the processes for how you handle, manage and use the data. Companies must be sure that they can provide the full lineage of their data, meaning that when they create something from data, they – or you as their data-processor — must be able to go back in time and determine which particular data you used and how.
Ultimately, that means building new systems for managing, tracing, and controlling data and its use throughout the organisation. Little wonder, then, that some IT contractors will no doubt be seen rubbing their hands together!