Are you ready for the General Data Protection Regulation (GDPR)? If your organization collects personal data on citizens or residents of the European Union, then most likely you will be required to comply with the Regulation by May 25th. The GDPR intends to strengthen data protection rights for all European Union citizens and residents, as well as the security requirements for organizations that collect and process their personal data. The penalties for non-compliance can be severe - up to 4% of your organization’s prior year annual turnover, or 20,000,000 EUR, whichever is greater.
It should be the expressly stated strategic goal of every organization to limit exposure to regulatory penalties. This translates into a number of high level strategic actions or initiatives, one of which should be to comply with the requirements of the GDPR.
The GDPR imposes a number of requirements necessary for compliance. One of these, article 5, mandates that “Personal data shall be...accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy').”
To comply with this article, it should be established as an organizational policy - a principle that guides actions by people and systems with respect to personal data collected and maintained by your organization. The GDPR will likely create a number of new policies for data within your organization, each of which are linked to the initiative of complying with its requirements, which in turn is linked to the broader strategic goal of limiting exposure to regulatory penalties.
Our example policy is broadly defined, and is enforced by a number of concrete tactical actions or rules that constrain and shape personal data. For example, a potential rule might mandate that any address field within data objects that contain personal data - such as customers and employees - cannot be blank, otherwise the personal data is not accurate. Personal data is surely siloed within many different business systems and data stores within your organization, and these rules must be enforced across all of them so that you maintain compliance with the GDPR.
We have just provided an example that illustrates how a strategic organizational goal is linked to specific data objects. In reverse, you are able to see the impact that a single data object has on strategic goals. Think it as a tree whereby a strategic goal spawns a number of initiatives, which creates several policies, which define many different concrete rules, which in turn shape and use specific data objects.
Unfortunately, most organizations aren’t able to create a view like this because they don’t possess a single platform within which they can define, communicate, connect, and enforce the organizational elements that shape how data is defined and used across business systems and processes. This makes it difficult to ensure that activities in data are aligned with strategic goals. For example, the GDPR mandates than an organization can be called upon at any time to demonstrate compliance. Without a singular view that shows how an organization is enforcing the requirements of the Regulation, the cost and effort to demonstrate compliance is greatly increased.
The Information Governance Cloud (IGC) from BackOffice Associates provides this single platform where you can create a whole business view of data - not just a technical view. It recognizes that data is a business asset that can impact your business strategy. Therefore it captures your strategic goals and initiatives, and links them to the policies, rules, systems, processes and data that are aligned with them. So for example, you can define GDPR compliance as an initiative within IGC, and connect it to a business goal of limiting exposure to regulatory penalties.
The linkage to related policies and rules is easily seen in IGC - you can view any policy and see all of the initiatives it is aligned with, and all of the rules that enforce it.
IGC orchestrates the enforcement of rules across any system, process or stewardship platform - including the Data Stewardship Platform from BackOffice Associates. You can express a rule one time, and verify that it is being enforced everywhere in your organization.
Everything defined in IGC, including metadata, is expressed using natural language and business terminology defined within an embedded business glossary. So for example, you can clearly define what the term “personal data” means so that everyone understands it; and can see how it is connected to the goal of GDPR compliance and the specific data objects that contain personal data.
IGC empowers your growing number of data contributors share their knowledge to better policies, rules, and data - in effect, crowdsourcing the best ideas from your organization to improve the impact that data has on your business strategy.
But your data landscape is vast, complex, and changes rapidly. Your organization has lots of data and systems, and thus will have a large number of policies and rules. It’s hard for any group of humans to stay on top of it all and ensure everything is defined, connected together, and enforced. So IGC includes Deep Guidance(™) - a digital consultant that combines machine learning, natural language processing, and embedded data expertise - to continuously scan everything you define in IGC and suggests improvements. So for example, if you have a rule that isn’t related to a policy, or a policy that isn’t aligned to an element of your strategy, or potential business term that doesn’t have a definition - Deep Guidance(™) highlights it for you and suggests appropriate changes. Deep Guidance learns from everything you do in IGC - working side-by-side with you to guide you to better oversight and usage of data.
From top to bottom and bottom top, connecting your strategic goals - including GDPR compliance - with your data is made easier with the Information Governance Cloud.
Learn more about Information Governance with our complimentary eBook: “The Need for Sustainable Information Governance”
About the AuthorMore Content by Kevin Larsen