As mentioned in previous Synergy posts if your organization operates within the European Union (EU) or trades with the EU, the General Data Protection Regulation (GDPR) will affect your operations.
Only 6% of surveyed organizations say they are “completely prepared” ahead of the mandate’s May 25 effective date, according to the 2018 State of Data Governance Report.
17% of organizations believe GDPR does not affect them. Their organizations are misguided because any company in any industry is within GDPR’s reach. Even if only one EU citizen’s data is included within an organization’s database(s), compliance is mandatory.
So it’s important for organizations to understand exactly what they need to do before the deadline and the potential fines of up to €20 million or 4% of annual turnover, whichever is greater.
Personally Identifiable Information (PII)
According to the GDPR directive, personal data is any information related to a person such as: a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.
Personal data also comes in many forms and extends to the combination of different data elements that individually are not PII, but contribute to PII status when consolidated.
Active Consent, Data Processing and the Right to Be Forgotten
GDPR also strengthens the conditions for consent, which must:
– be clear and distinguishable from other matters
– and provided in an intelligible and easily accessible form,
– using clear and plain language.
– it must be as easy to withdraw consent as it is to give it.
Data subjects also have the right to obtain confirmation as to whether their personal data is being processed, where and for what purpose. The data controller must provide a copy of the said personal data in an electronic format – free of charge. This change is a dramatic shift in data transparency and consumer empowerment.
The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
Documenting Compliance and Data Breaches
GDPR also looks to curb data breaches that have become more extensive and frequent in recent years. Data’s value has sky-rocketed, and data-driven businesses are major targets of cyber threats.
Organizations must:
– document what data they have,
– where it resides,
– the controls in place to protect it,
– the measures that will be taken to address mistakes/breaches.
In fact, data breach notification is mandatory within 72 hours if that breach is likely to “result in risk for the rights and freedoms of individuals.”
Data Governance and GDPR:
Data governance and GDPR go hand in hand. A strong data governance program is critical to the data visibility and categorization needed for GDPR compliance, and it will help in assessing and prioritizing data risks and enable easier verification of compliance with GDPR auditors.
Data governance enables an organization to discover, understand, govern and socialize its data assets – not just within IT but across the entire organization. Not only does it encompass data’s current iteration but also its entire lineage and connections through the data ecosystem.
Understanding data lineage is absolutely necessary in the context of GDPR. Take the right to be forgotten, for example. Such compliance requires an organization to locate all an individual’s PII and any information that can be cross-referenced with other data points to become PII.
With the right data governance approach and supporting technology, organizations can ensure GDPR compliance with their current, as-is architecture and data assets – and ensure new data sources and/or changes to the to-be architecture incorporate the appropriate controls.
Stakeholders across the enterprise need to be GDPR aware and enabled so that compliance is built in,
