Categories
erwin Expert Blog

GDPR, Compliance Concerns Driving Data Governance Strategies

There are many factors driving data governance adoption, as revealed in erwin’s State of Data Governance Report. Over the coming weeks, we’ll be exploring them in detail, starting with regulatory compliance.

By Michael Pastore

Almost every organization views data governance as important, so why don’t they all have it in place?

Modern organizations run on data. Whether from sensors monitoring equipment on a factory floor or a customer’s purchasing history, data enters modern businesses from every angle, gets stored in any number of places, and is used by many different people and applications.

Data governance refers to the practices that help businesses understand where their data comes from, where it resides, how accurate it is, who or what can access it, and how it can be used. The idea of data governance is not new, but putting data governance into practice and reaping the benefits remains a struggle for many organizations.

According to our November 2017 survey with UBM, nearly all (98 percent) respondents said their organizations view data governance as either important or critically important from a business perspective. Despite this, 46 percent of respondents indicated their organizations recognize the value of data, but lack a formal governance strategy.

One of the significant obstacles to data governance for many organizations is the idea of ownership. In many businesses, it’s safe to say that the IT organization has ownership over the network, just as it’s easy to say that the business oversees payroll.

Data is a bit more complicated. The business side of the organization often analyzes the data, but it’s the IT organization that stores and protects it. This data division of labor often leaves data governance in a sort of no-man’s land, with each side expecting the other to pick up the torch.

The results of the erwin-UBM survey indicate that businesses are increasingly treating data governance as an enterprise-wide imperative. At 57 percent of respondents’ organizations, both IT and the business are responsible for data governance. Just 34 percent of the organizations put IT solely in charge.

Strong data governance initiatives will overcome the issue of ownership thanks in part to a new organizational structure that considers the importance of data. The emergence of the chief data officer (CDO) is one sign that businesses recognize the vital role of their data.

Many of the first generation of CDOs reported to the CIO. Now, you’re more likely to see the CDO at forward-thinking organizations sit on the business side, perhaps in the finance department, or even marketing, which is a huge consumer of data in many businesses. Under the CDO, it’s increasingly likely to find a data protection officer (DPO) tasked with overseeing how the business safeguards its information.

What's Driving Data Governance

Driving Data Governance: Compliance Is Leading Organizations to Data Governance

Now is a good time for businesses to re-think their data structure and governance initiatives. Data is central to organizations’ compliance, privacy and security initiatives because it has value — value to the business; value to the customer; and, like anything of value, value to criminals who want to get their hands on it.

The need to protect data and reduce risk is an important factor in driving data governance at many organizations. In fact, our survey found that regulatory compliance, cited by 60 percent of respondents, was the most popular factor driving data governance.

There’s an increased sense of urgency regarding data governance and compliance because of the European Union’s General Data Protection Regulation (GDPR), which goes into effect this month. According to our research, only 6 percent of respondents said their organization was “completely prepared” for the regulation.

Not only does the GDPR protect EU citizens at home, but it extends protections to EU citizens wherever they do business. It really goes much farther than any other legislation ever has.

The GDPR essentially gives rights to the people the data represents, so businesses must:

  • Minimize identifiability in data
  • Report data breaches within 72 hours
  • Give consumers the ability to dispute data and demand data portability
  • Understand the GDPR’s expanded definition of personally identifiable information (PII)
  • Extend to consumers the right to be “forgotten”

And much, much more.

The maximum fine for organizations in breach of the GDPR is up to 4 percent of annual global turnover or €20 million, whichever is greater. And because the GDPR will apply to anyone doing business with EU citizens, and the internet transcends international borders, it’s likely the GDPR will become the standard organizations around the world will need to rise to meet.

The GDPR is a hot topic right now, but it’s not the only data-security regulation organizations have to honor. In addition to Payment Card Industry (PCI) standards for payment processors, industry-specific regulations exist in such areas as financial services, healthcare and education.

This web of regulations brings us back to data governance. Simply put, it’s easier to protect data and mitigate a breach if your organization knows where the data comes from, where it is stored, and what it includes.

Businesses stand to gain a number of advantages by implementing strong data governance. Regulatory compliance is sure to get the attention of C-level executives, the legal team and the board, but it means very little to consumers – until there’s a breach.

With new breaches being reported on a seemingly daily basis, businesses that practice strong data governance can help build a competitive advantage by better protecting their data and gaining a reputation as an organization that can be trusted in a way that firms suffering from high-profile breaches cannot. In this way, data governance helps contribute directly to the bottom line.

Still, compliance is the No. 1 factor driving data governance initiatives for a reason.

Using data governance to drive upside growth is great, but not if you’re going to lose money in fines.

In our next post in this series, we’ll explore how your organization can use data governance to build trust with your customers.

 

Michael Pastore is the Director, Content Services at QuinStreet B2B Tech. This content originally appeared as a sponsored post on http://www.eweek.com/.

Learn more about how data governance can help with GDPR compliance by downloading the free white paper: GDPR and Your Business: A Call to Enhance Data Governance Expertise.

Data Governance and GDPR: GDPR and Your Business Whitepaper

Categories
erwin Expert Blog

GDPR guide: The role of the Data Protection Officer

Over the past few weeks we’ve been exploring aspects related to the new EU data protection law (GDPR) which will come into effect in 2018.

Categories
erwin Expert Blog

GDPR guide: Preparing for the new changes

By now many businesses would have already heard about the new General Data Protection Regulation legislation. But knowing is only half the battle. That’s why we’ve put together this GDPR guide. 

Categories
erwin Expert Blog

GDPR guide: Do you know about the change?

The countdown has begun to one of the biggest changes in data protection, but how much do you know about GDPR? In a series of articles throughout February we will explain the essential information you need to know and what you need to be doing now.

What is GDPR?

It stands for General Data Protection Regulation and it’s an EU legal framework which will apply to UK businesses from 25 May 2018. It’s a new set of legal requirements regarding data protection which adds new levels of accountability for companies, new requirements for documenting decisions and a new range of penalties if you don’t comply.

It’s designed to enable individuals to have better control of their own personal data.

While the law was ratified in 2016, countries have had a two-year implementation period which means businesses must be compliant by 2018.

Key points of GDPR

The changes to data protection will be substantial as will be the penalties for failure to comply. It introduces concepts such as the right to be forgotten and formalises data breach notifications.

GDPR will ensure a regularity across all EU countries which means that individuals can expect to be treated the same in every country across Europe.

How to comply

EU GDPR padlockFor processing personal data to be legal under GDPR businesses need to show that there is a legal basis as to why they require personal data and they need to document this reasoning.

GDPR states that personal data is any information that can be used to identify an individual. This means that, for the first time, it includes information such as genetic, mental, cultural, economic or social information.

To ensure valid consent is being given, businesses need to ensure simple language is used when asking for consent to collect personal data. Individuals must also have a clear understanding as to how the data will be used.

Furthermore, it is mandatory under the GDPR for businesses to employ a Data Protection Officer. This applies to public authorities and other companies where their core activities require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data”.

Data Protection Officers will also be required to complete Privacy Impact Assessment and give notification of a data breach within 72 hours.

The impact of Brexit

At this stage it is unknown how the UK exiting the European Union will affect GDPR. However, with Article 50 yet to be triggered – the exit from the European Union is still over two years away and as such the UK will still be part of the EU in 2018. This means that businesses must comply with GDPR when it comes into force.

Penalties for non-compliance

Penalties for failing to meet the requirements of GDPR could lead to fines of up to €20 million or 4% of the global annual turnover of the company for the previous year, whichever is higher. This high level of financial penalty could mean could have a serious impact on the future of a business.

Over the coming month, we will continue this series looking at how to get started preparing for GDPR now, why you need a Data Protection Officer and how GDPR will affect your international business.

Download the White Paper The Business Value of Data Modeling for Data Governance