GDPR Compliance Journey to Date

Drivers of Popular Entry Points

May 2018 is edging ever closer and with it the enforcement of the GDPR. Informatica has identified four entry points that organizations can use to begin their compliance journey. These entry points have stood up well over the last 12 months. Most organizations I speak to agree with them, and we have not needed to add or remove entry points to remain relevant. These entry points are best understood with simple questions:

GDPR

 

GDPR Compliance Journey to DateTo date most organizations have made significant progress on their compliance journey. At a minimum, they would have consulted with their own legal counsel, and developed a strategy to ensure they meet with their obligations in this principles-based regulation. As organizations progress from understanding their obligations, through compliance strategy definition, to implementation of new processes and technologies, clear patterns are emerging in terms of which entry points are the most popular.

Based on my direct experience, and the conversations I have had with colleagues and partners, entry points 1 and 2 on the image above are proving most popular. Given we are still in the early stages of GDPR, this is completely understandable as organizations must first understand what personal data they collect, store and process before they can protect it or manage it.

This doesn’t mean the other entry points are less applicable, or will deliver less value in the long term. I have summarised my experience for the reasons behind the popularity for each entry point below.

Entry Point 1: Data Governance

Popularity as initial entry point: High

Reasoning behind popularity:

  • Popular with organizations whose current understanding, documentation and management of their data is poor. (This covers personal data and non-personal data)
  • Coincides with many organizations’ digital transformations, which require data agility driven by data governance.

Long term value delivered: Faster compliance reporting; Drives data as an asset to enable data agility supporting faster data science and business transformation

Entry Point 2: Sensitive Data Discovery and Risk

Popularity as initial entry point: High

Reasoning behind popularity:

  • Popular with organisation who have large numbers of IT systems, and/or have a very dynamic IT environment.
  • These organizations have difficulty identifying at risk data stores, and ranking the relative risk in an objective manner.
  • Desire to understand ‘normal’ patterns of usage of personal data, for rapid identification of potential breaches.

Long term value delivered: Faster data discovery for other data management policies; Supports breach prevention initiatives.

Entry Point 3: Consent Mastering and Enacting Rights

Popularity as initial entry point: Medium

Reasoning behind popularity:

  • Popular amongst organizations that have a strong focus on customer experience management and have multiple touch-points for these customers.
  • Lower priority in organizations who acknowledgement that consent management is important but believe that current solutions are sufficient for now. (Consents are managed locally at business process/system level)
  • Priority is reduced overall as few people believe that many data subjects will enact their rights.

Long term value delivered: Faster delivery of customer centricity and digital transformation programmes; Data superset for market purposes; Consistency in application of consents for all systems, processes and domains.

Entry Point 4: Archiving and Anonymisation

Popularity as initial entry point: Low

Reasoning behind popularity:

  • Selected by organizations who have a clear understanding of the data they manage and have made good progress in introducing data governance. These organizations are looking to the next step of data protection.
  • Organizations first need to understand the complete set of personal data they have and the relative risk of breach for each data store before implementing masking or archiving technologies.
  • A small number of organizations believe that they are not an attractive target for hackers or other data thieves and therefore don’t require this technology.

Long term value delivered: Faster and more secure application testing; Reduce costs through data minimisation

Assessment – understanding the drivers of relative popularity

The relative popularity of the four entry points is not surprising and is based on sensible assessment of current capabilities and potential risks.

Given that many organizations are starting from a low base of data governance, the two highest priorities – data governance and sensitive data discovery – are excellent starting points. Data governance in particular has its popularity driven by pent-up demand. This set of practices, processes and technologies have long been acknowledged to deliver value, but struggled for funding. The GDPR has given a huge boost to these projects and organizations are set to reap benefits from improved data governance beyond GDPR compliance.

I do have a concern around the justifications for lowering priorities for consent & subject right’s management. Given the low interest data subjects currently have in engaging about the use of their personal data – even a 10-fold increase in interest will not trouble many organisations. However, it is naive to think that this low level of interest will continue indefinitely. It is hard to project the change in data subjects’ engagement over their personal data from current levels to a future state once individuals are better acquainted on their rights. We can also not rule 3rd parties representing data subjects’ interests forming collectives to exercise rights or challenge consents. Data subject rights and consents should be an area organizations monitor continuously, ready to adapt as the data subjects mature in their understanding of rights and their engagement around personal data.

My largest concern is for the tiny minority of people and organizations who declare that they are not targets for data theft or hacking. Prioritising other entry points to understand your need for archiving and/or masking is a sensible approach. However, organizations should not dismiss these ‘last lines of defence’ out of hand, just because their industry or geographic region has not yet been a target.

In summary – I have seen that most organizations have already started their compliance journey. The entry points Informatica has identified are being compared to individual data governance maturity and internal GDPR priorities. Whilst data governance and sensitive data discovery are more in demand now, this should be set to change beyond May 2018. As the obligations of GDPR become clearer through testing in courts of law and data subjects engage more fully to actively manage their personal data, we may see a rise of interest in the other entry points.

Comments