GDPR in the Data-Driven Age

Today's global economy runs on data. Every day, individuals are providing data, while companies collect it. The rapid growth and volume of this data has been overwhelming and nearly impossible to manage. But, as the value of data increases, so does the interest from outside, including potentially nefarious sources. What’s required are newer, specific safeguards that address the myriad of data challenges brought about by the digital age.

The General Data Protection Rule

(GDPR) is a broad, complex regulation that addresses how organizations capture, control, and process personal information. The regulation, ratified by The European Commission in April 2016, applies to any company inside or outside the European Union that offers goods and services to EU residents. Any organization that conducts business in the EU and collects personal data must comply with this regulation.

The GDPR strengthens data protection provisions for all EU citizens by significantly expanding the definition of what constitutes “personal information.” The GDPR goeswell beyond birth dates and Social Security numbers to include genomic data, health records, financial information, and social media profiles, among many other sources. Fines for non-compliance will be significant: up to 2%-4% of a company’s global revenue. With the May 2018 deadline fast approaching, many companies are using the GDPR as the catalyst to finally modernize their data strategies.

As organizations rush to get a handle on their data to ensure compliance, here are three steps to establishing a long-term data strategy.

Level Up

A comprehensive data strategy begins with the understanding that data is no longer the sole responsibility of the IT department. IT can provide the infrastructure and the technical methods to collect the data. But the IT staff typically doesn’t understand the business context or business
impact of the data. A long-term data strategy should involve business users who interact with the data constantly, and as such, have better insights into the data and its value to the business.

Know the (Data) Landscape

Understanding how data moves across and beyond an enterprise is a key aspect to complying with the GDPR. Under the GDPR, an organization must be able to answer three questions and show proof of those answers:

  1. Where is my data?
  2. Who is responsible for that data?
  3. How and why am I processing that data?

Identifying and classifying data is the first step toward answering these questions. After all, you can’t protect what you don’t know. Data governance can be the foundation to a long-term data strategy. It can enable an organization to understand the data it has, and agree on the definitions, rules, and policies that define data. Data governance provides a framework for managing and defining enterprisewide policies, business rules, and data assets to provide the necessary level of data protection and quality.

Assign Ownership

Ownership is critical to an effective data strategy, and a key aspect for GDPR compliance. Without clear ownership responsibilities and accountability for sharing data across an organization, the value of data will be unrealized. Data models, business terms—every bit of data—should be assigned to an individual or a team. Data governance can help establish ownership policies to enable business users to better protect, share, and improve data assets.

At a time when data continues to grow exponentially, it would be shortsighted to assume there is a fixed solution to controlling data. Upcoming regulatory deadlines, such as the GDPR, may force organizations into action, but developing a long-term data strategy should be considered a journey, not a one-and-done task. Data and infrastructures are constantly changing. New regulations will be introduced. The goal is to create a flexible data strategy that allows an organization to become more efficient with its data and become a truly data-driven culture.