Crossing the GDPR Data Delta
*The blog post is from Jason Edge, Vice President Global Advisory, Entity Group. Jason specialises in Data Governance and Management and is skilled at working with executive stakeholders across an organisation to shape strategies and achieve their vision.
Recently at Entity Group we have been giving a lot of thought to how an initiative to ensure compliance with the General Data Protection Regulation (GDPR) should be considered as one part of an holistic Data Governance Strategy rather than as an isolated activity. Primarily, we see it as an opportunity for organisations acting in the role of Data Controllers and Data Processors to build trust with Data Subjects (the individuals whose data they hold) and become truly customer/citizen/employee centric. All too often organisations do not have that holistic, or even a piecemeal, data governance strategy in place and are, therefore, in no position to take advantage of opportunities afforded by GDPR or any other regulatory obligation. The truth is that data governance and information management strategies very often get ignored because they are difficult to articulate and seem even more difficult to execute. However, we believe they are achievable with the right assistance.
The factors we think you need to give thought to within a data management approach to GDPR are:
Adopt a practical, proven approach that will focus on delivering business value – a Roadmap
We believe that the gap between the data organisations have today, and the information or business advantage they want to have tomorrow, can be defined in terms of a ‘Data Delta’. For example, achieving digital transformation is often a huge headache because of this type of delta that exists within most organisations, and yet it must be bridged if companies are to truly embrace digitalisation and survive. GDPR compliance is a specific example of a Data Delta that needs to be crossed and it can be approached with tried and tested data management techniques. We have spent many years working with organisations of all sizes and sectors to help them to cross their own Data Deltas. This knowledge and experience has crystallised into our own method, described in our published book called “Crossing the Data Delta”. This is available from our website and provides a host of guidance on data management challenges or you can come and talk to us directly. Whatever your interest in what today’s market is calling Data Science it should have something for you. As a preview, it starts with these six Principles to bridge the delta:
- Data must be Governed and Owned
- There must be an agreed Description of the data
- Data Quality must be defined, measured and managed
- Principles of Access need to be established; the data lifecycle, storage, privacy and security
- How data is Used and Shared needs to be agreed; how systems are integrated;
- Data which needs to be Controlled, and how and by whom, needs to be established, so that business applications can be successfully implemented
There is much more involved – too much to cover in this blog – but hopefully it is clear that these data management principles all apply directly to GDPR compliance and should be a vital part of your initiative in one way or another. There are also a number of other approaches out there – the point is not to spend time reinventing the wheel!
Know which questions to ask and what to do with the answers. For example, the GDPR area of Consent
- What Personal Data do I hold?
- Why do I hold this? (For which processing activities/purposes?)
- Do I have specific consent and have I registered any objections?
- How will I continue to monitor and action consents and objections?
- Am I upholding the rights of the data subject?
The ability to answer these questions is what we define as Consent Mastering. It means having a single version of the truth for all data related to an individual and the consent they have given to use it. For compliance purposes this must be continually updated and available to any approved consuming system. It is therefore a set of Master Data. Ironically, given that part of a GDPR compliance initiative is a data management activity, consent mastering does require organisations to identify, collect and hold even more data! Also, as with any other kind of mastering, this is an iterative process not a one-off activity and therefore it is not merely answered by a technology implementation. To truly address it organisations will need to look at the three core areas of Process, People and Technology right across the organisational landscape. This is an integral part of having a defined strategy for information management and a strong grip on data governance.
Use a GDPR specific data model
No matter what your data management project is, a good, pre-defined data model can really get your project off to a flying start. For a GDPR initiative it could act as an accelerator you can use to map your organisation’s data; swiftly identify the data you might need for compliance and then connect that with the data you hold on individuals. We recommend looking at items such as how to uphold the rights of data subjects, ie Erasure, Inquiry, Objection, Portability, Restriction and Rectification. You’ll need to understand who has ownership of the data and who is responsible for maintaining it – these are essential data governance tasks even without the pressure of GDPR compliance. So speak to us about our GDPR data model – or find someone else’s – but again, don’t spend the short time you have left in analysing the GDPR documentation and attempting to build one from scratch.
Understand how a platform approach can help from a technology perspective
One of Entity’s specialisms within the Information Management space is the successful delivery of Master Data Management related projects. As such, we believe that the Consent Mastering aspect of GDPR is of particular interest to organisations wanting to demonstrate responsible handling of customer/employee/citizen data and build trusting, profitable customer relationships. Why? Well, because it links through and is complementary to so many aspects of the Customer 360° view that is the goal of many MDM implementations. MDM could be defined as enabling “you to join up information relating to the same thing (a particular customer, supplier, product etc) from across your organisation, so that you can get a single view of their interactions and transactions” Consent is just one part of that 360° view that needs to be mastered. However, in the first instance you might be struggling to show who owns data in your organisation and how it flows around. (See the section above on Consent Mastering for the reasons why you might need to do this). Equally, the ability to visualise this ownership and these flows can help to promote collaboration and buy-in which are valuable in the process of building a business case for an enterprise MDM project. There are technologies available to help with that part of the process and many other related technical capabilities can play a part in the process such as Data Integration, Data Quality, Data Cataloguing, Data Security, Data Lakes – the list goes on. Therefore a platform approach from a technology perspective – where the individual components can be used stand-alone or as part of an integrated whole can be an extremely useful one. An example of a platform for Data Governance is below.
So how to get started? You need an action plan – this is a topic that we’ll be covering in our forthcoming GDPR Consent Mastering white paper and our webinar (which you can register for here). We’d love to talk to you in more detail about GDPR or any of the unique data management challenges you face, and share some more of our experience with you to help you cross your own data delta. Whatever you decide to do though please take a broader data management approach so that dealing with GDPR compliance can be the beginning of a Data Governance journey for your organisation or an improvement to the one upon which you have already embarked. Safe Travels!
You can contact us at this link if you want to learn more.
Entity Group are data management experts and can support your business with the practical data management aspects of GDPR compliance. Any advice given or opinions expressed in this blog or any other Entity authored content should be read in that context and that context alone. Entity are not legal advisors and cannot advise on the compliance matters from a legal standpoint.