GDPR compliance in the age of Datafication
It was a great pleasure to have been asked to contribute to Profusion’s recently launched report – The Chief Data Officer, Today, Tomorrow, Always? Not to mention to have taken part in the excellent launch at the Gherkin (thanks to Profusion for the great coffee and breakfast which really help to kick-start the day!), or my having been quoted on the subject of the report in Information Age’s article ‘Capitalising on the data revolution: The need for CDOs is growing’ (it’s been a good week all-around).
It’s always very interesting to gain insights into the innovations that other data driven business leaders are spearheading, as well to learn how they are overcoming some of the challenges they face. Of which, the new General Data Protection Regulation (GDPR) was unsurprisingly one of the most common, both in terms of it presenting significant challenges and great opportunities.
Profusion’s report provides the reader with invaluable insights into the role of the Chief Data Officer, set against a backdrop of unforetold levels of datafication and unprecedented levels of data protection regulations. Whilst all of the themes which the report highlights are worthy of discussion, here are some of the ones I found to be most pertinent to what many of those within my network either do (or ought to be doing).
1. data governance and agile working practices can be uneasy partners
Programme and project teams are often placed under immense pressure from businesses to deliver more with less, at a pace. When effectively implemented, agile ways of working offer businesses the opportunity to rapidly realise tangible results. One of the key challenges is ensuring that the products which are delivered under agile regimes meet data governance best practices.
From experience, projects are all too often scoped, initiated and even delivered with data governance either; not being adequately considered; bolted on as an afterthought; or, in the worst-case scenarios not being accounted for at all. Leaving projects and by extension businesses open to significant risks. Notably, the risk of failing to comply with data protection laws like the GDPR.
Whilst these practices are not uncommon, businesses cannot afford to ignore the risks. Particularly in light of the stiff sanctions they may face under the GDPR (including fines of up to 4% of an organisations annual turnover per data breach, and 2% of global turnover for failing to report breaches). Data governance needs to be embraced as a core part of the scoping, design and implementation process.
By ensuring that all systems, processes and technologies are designed with privacy embedded by design, businesses will not only meet the mandatory requirements of the GDPR, it will help to reduce if not cut out the bureaucracy and white noise that can be attributed to poorly lead data governance processes.
It’s not that it is not possible for there to be a successful relationship between data governance and agile ways of working. It is as with all relationships necessary to open and maintain constant lines of communication. In this case, between innovators within the business, project managers and governance, risk and compliance officers.
2. May 2018 will see the implementation of the General Data Protection Regulation (GDPR). As such we are surely approaching the very last chance to secure scare resources for investment in compliance. Our research confirms what many surveys are telling us. Levels of awareness let alone preparedness remain alarmingly low across the economy.
It may not come as a surprise to many of you to hear that alarming numbers of organisations are well-behind the curve in terms of being prepared for the GDPR. Many of the organisations that reach out to us for advice and support are only at the gap analysis stage. Very few have begun to implement the changes necessary to ensure compliance. As a result, many organisations face significant risks with just 6 months to go before data protection supervisory authorities such as the UK’s Information Commissioners Office (ICO) will begin to levy penalties for non-compliance.
Organisations that have already been following best practices together with those that process low volumes of personal data or those that do not process what is described under GDPR as ‘special category data’ (eg health data, biometric data, payment data, snf information about religious or political beliefs), may just about be able to make the necessary changes in time. Conversely, organisations that process high volumes of personal data, and/or ‘special category data’ are likely to have a lot to do between now and May 25th 2018.
One of the key challenges organisations that have left it too late in the day may face is finding the right person/(s) to help them to implement their GDPR compliance programme. Many contractors and consultancy firms have already started to capitalise on the exponential growth in demand for their services. Our research suggests that some contractors and consultancy firms are charging double and in some cases four times what they were charging 6-12 months ago – a case of jumping on the GDPR band-wagon perhaps!
With the new mandatory requirement for all public sector organisations and private sector organisations that undertake high risk data processing to formally appoint Data Protection Officers, there is greater demand for subject matter experts than what the market has to offer. Creating a need for organisations to either train their own staff, or in some cases to pay premium prices for external support.
3. Critical to success will be the ability to identify which data streams are most important to an organisation in doing so we move from a ‘Big Data mindset’ to a ‘smart data focus’. The objective being to get the right data to the right people at the right time and in the right way and that requires a fit for purpose data architecture able to effectively combine data-in-motion with data-at-rest.
An obsession with ‘Big Data’ coupled with poor information management practices can lead to organisations amassing vast quantities of unnecessary data. Creating a need for organisations to have a clear strategy for ensuring the data they collect; process and store will actually provide them with the deep and meaningful insights they need to develop and maintain competitive advantages.
Not only can the ‘Big Data mindset’ result in unruly datasets (which can be costly to store and secure), it can land organisations in hot water with the likes of the ICO. We frequently encounter organisations that either collect or seek to collect data just in case it might be useful at some unknown future point in time. Such practices are often unlawful under the existing data protection regime let alone in the new world of the GDPR.
One of the clear benefits of the GDPR is that it will force such organisations to focus on the necessity of the data they process. By mapping all personal data at rest and in transit in preparation for GDPR compliance, organisations are likely to discover all sorts of pockets (and sometime great big pools) of data which they have no lawful basis for processing.
To achieve compliant outcomes, Chief Data Officers (or their equivalent) need to work closely with Data Protection Officers to ensure that data strategies and architectures take account of GDPR compliance. Helping to ensure that resulting datasets are not only ‘smart’ but are also private and secure by design and by default.
Download your free copy of Profusion’s report – The-Chief-Data-Officer-Today, Tomorrow, Always?
Michael Abtar – IG Smart Ltd Founder & CEO