The first service of a GDPR notice – to analytics firm AggregateIQ for its controversial use of voter data – reinforced the severity and significance of GDPR for organisations worldwide. Though the May 25, 2018 deadline for compliance may initially have been treated as a one-off, box-ticking exercise, the reality is that GDPR brings heightened, long-term scrutiny to the way in which organisations collect, use, and store data.
The purpose of GDPR is to protect personal privacy rights by providing greater transparency into the way that personal data is used. As a consequence, full GDPR compliance means being able to answer questions such as is personal data being used, who owns it, where can it be found, what does it mean, why it is being stored, and whether it is trustworthy. The inability to answer any of these questions creates a real risk to businesses of harsh penalties and reputational damage, not to mention the lost opportunity of not using an organisation’s data to its fullest potential.
In order to answer the questions raised by GDRP compliance, organisations must have a 360-degree view of their data. Strong governance that applies comprehensive policies to the management and organisation of data is a prerequisite.
Rise of the CDO
Six months after the much-discussed May deadline, and organisations are still failing to realise the true power of a data-centric approach, whether for ensuring compliance or operational efficiency. According to a survey from Imperva, less than 50% of businesses are highly confident they would pass a GDPR audit. While, according to a Fellowes study announced in October 2018 of more than 1,000 UK workers, found that 20% still have not been given any GDPR policies by their company. Another 54% of respondents in this study had seen personal and/or confidential data they should not have seen under GDPR.
These troubling figures demonstrate that despite the momentum of initial compliance investments made to meet the GDPR deadline, efforts have largely consisted of hasty ‘band-aid’ solutions with little regard for long-term sustainability and change in corporate culture. There is a glaring need for organisations to implement – and maintain – concrete data processing policies and systems. There is no person better positioned to achieve this than the Chief Data Officer (CDO), who helps the enterprise manage its data effectively. Armed with expert knowledge of data governance and processes, CDOs have the ability to make significant steps towards long-term GDPR compliance.
A CDO’s unique ability to help organisations overcome compliance challenges without disrupting business as usual also means they should have a seat at the table in boardroom discussions. By elevating their role, CDOs can obtain not only the senior buy-in they need – indeed this a pre-requisite to GDPR compliance – but also leverage their authority to catalyse a cultural shift towards data-centricity within their organisation. In the modern business landscape where governed data is an asset, CDOs also serve as business strategists.
Equipped with advanced technology, an analytical mindset, and innate attention to detail, CDOs are capable of identifying the value of data within an organisation and ethically leveraging that data to implement strategic data-led changes within an organisation.
Data governance: a GDPR solution and business enabler
So how can CDOs begin to sift through the data within an organisation to make sure the organisation is compliant both now and in the future? And, perhaps even more importantly, to use data to reveal business growth possibilities and industry-impacting strategies? The answer lies in data governance and an offence-defence balancing act. On one hand, CDOs have to play defence to meet regulatory obligations like GDPR. On the other hand, CDOs must take the offence as well: using data to inform business decisions and drive new growth opportunities. Data governance is a necessary part of each approach since each approach requires full visibility into the origin, format, lineage, and quality of data.
The priority for implementing a clear data governance strategy is conducting a data maturity assessment, which will help a CDO identify the areas that need to be improved. In the case of GDPR, knowing just how far from compliance a company is when they start will help them know which strategies and steps they need to prioritise going forward. This involves evaluating the state of various elements within the organisation, such as:
- The leadership team’s attitudes towards data
- The strength of existing data policies
- The level of exposure to security or legal risks, and the sophistication of its underlying technological infrastructure.
A data maturity assessment is a critical step to launching any governance initiative; CDOs will not know if their efforts are aligned with an organisation’s business priorities – or which areas to improve – if they are unaware of their starting point.
A long-term situation
Once a data maturity assessment has been made, CDOs can begin building the right tools and processes to govern enterprise data. However, with the volume and variety of enterprise data continuing to multiply at an exponential rate, it is important for CDOs to implement a governance strategy that can maximise the reach of its data assets whilst staying compliant.
In order to achieve this, businesses need both a macro and micro mindset. They need to gain maximum visibility into how data is used at every level in the organisation while also understanding, for example, that updating metadata in real-time will improve its reliability and trustworthiness. This approach of thinking of the big picture, while also keeping an eye on the micro processes, will help CDOs build a long-term GDPR-compliant data strategy.
GDPR compliance and data governance are inextricably linked; GDPR compliance cannot be achieved without strong governance. This not only requires procedural and micro strategies, but an overall cultural mindset of a data centric approach, which the CDO is primed to lead. Keeping both sides of the governance coin in check is where the CDO can drive real value for an organisation, ensuring all elements of GDPR compliance are governed, avoiding regulatory violations, and propelling his or her organisation to success.
By Bart Vandekerckhove, Product Manager, Collibra
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.