The GDPR is both a challenge and an opportunity. Like so many things, everything depends on how you look at it. There is certainly a challenge to put in place the required policies and procedures to respond to subject access requests or to be able to implement the right to be forgotten. It consumes time and resources, and after you have completed the implementation phase, a badly designed response has an ongoing cost in time and bureaucracy, placing a drag on future initiatives.
For those of us who have been trying to implement data governance for many years, it has highlighted all the problems that arise from a lack of governance. These include some well-known issues, such as not knowing the level of errors in your data and seeing correspondence sent astray, losing financial transactions, and so on. There are also some that have been ignored for years, of which I think the biggest is a failure to implement archiving and retention and disposal policies.
On the argument that storage is getting cheaper, and the more recent squirrel response of keeping every data record to feed the big data machine, we have retained and stored vast reams of old, inaccurate, and downright wrong data. The knock-on effects include being unable to count your customers (embarrassing at Group-reporting level), duplicates through the database, and the risk of data breaches taking data you don’t know you have.
So the opportunity of the GDPR is to put in place these checks and controls that manage your data assets in the same way you protect physical assets, intellectual property, and the welfare of your workforce.
We find it difficult to quantify the value of these assets, as there are no accounting standards for data assets. We can be more confident that the maximum fine from the Information Commissioner is 4% of turnover. The true value to the company can be assumed to be significant, given how much effort goes into backing up and disaster recovery activities. The idea of losing your data is unthinkable.
Data governance implements a logical set of controls.
- Hold a complete data record, which means one that has enough metadata to manage it, including status values, dates of changes and ownership.
- Identify where the data originates and manage the inputs to increase accuracy and completeness.
- Know where you master the data, and redesign until you have a single point of truth.
- Maintain the data and update it in line with the real world as things change.
- Have a process to identify and remove data that is no longer needed. This can include processes to create anonymized historical data sets or data lakes with no personal information.
- Finally, build the GDPR compliance processes in a way that is well governed, streamlined, has minimum impact, and is documented and demonstrable.
The GDPR is here because, as a society, we decided that we wanted to protect individuals by clearly defining what is allowed regarding personal data. This is fundamentally important to us all. Now it is obligatory, we have the choice between ticking the boxes and applying another layer of forms and bureaucracy or seizing the opportunity to clean up and clear out our badly maintained data and insist on better data governance. The payback will be better reporting, better quality insights, and confidence that we are staying legal. Remember why we do this.
Authored by: Patricia Evans
Email ID: firstname.lastname@example.org