Tag: General Data Protection Regulation

Categories
erwin Expert Blog

Five Pillars of Data Governance Readiness: Organizational Support

It’s important that business leaders foster organizational support for their data governance efforts.

The clock is counting down to the May 25 effective date for the General Data Protection Regulation (GDPR). With the deadline just a stone’s throw away, organizations need to ensure they are data governance-ready.

We’re continuing our blog series on the Five Pillars of Data Governance (DG). Today, we’ll explore the second pillar of data governance, organizational support, and why it’s essential to ensuring DG success.

In the modern, data-driven business world, data is an organization’s most valuable asset, and successful organizations treat it as such. In this respect, we can see data governance as a form of asset maintenance.

Take a production line in a manufacturing facility, for example. Organizations understand that equipment maintenance is an important and on-going process. They require employees using the equipment to be properly trained, ensuring it is clean, safe and working accordingly with no misuse.

They do this because they know that maintenance can prevent, or at the very least postpone repair that can be costly and lead to lost revenue during downtime.

Organizational Support: Production Lines of Information

Data Governance: Organizational Support

Despite the intangible nature of data, the same ideas for maintaining physical assets can and should be applied. After all, data-driven businesses are essentially data production lines of information. Data is created and moved through the pipeline/organization, eventually driving revenue.

In that respect – as with machinery on a production line and those who use it – everybody that uses data should be involved in maintaining and governing it.

Poor data governance leads to similar problems as poor maintenance of a production line. If it’s not well-kept, the fallout can permeate throughout the whole business.

If a DG initiative is failing, data discovery becomes more difficult, slowing down data’s journey through the pipeline.

Inconsistencies in a business glossary lead to data units with poor or no context. This in turn leads to data units that the relevant users don’t know how to put together to create information worth using.

Additionally, and perhaps most damning, if an organization has poorly managed systems of permissions, the wrong people can access data. This could lead to unapproved changes, or in light of GDPR, serious fines – and ultimately diminished customer trust, falling stock prices and tarnished brands.

Facebook has provided a timely reminder of the importance of data governance and the potential scale of fallout should its importance be understated. Facebook’s lack of understanding as to how third-party vendors could use and were using its data landed them in hot PR water (to put it lightly).

Reports indicate 50 million users were affected, and although this is nowhere near the biggest leak in history (or even in recent history, see: Equifax), it’s proof that the reputational damage of a data breach is extensive. And with GDPR fast approaching, that cost will only escalate.

At the very least, organization’s need to demonstrate that they’ve taken the necessary steps to prevent such breaches. This requires understanding what data they currently have, where it is, and also how it may be used by any third parties with access. This is where data governance comes in, but for it to work, many organizations need a culture change.

A Change in Culture

Fostering organizational support for data governance might require a change in organizational culture.

This is especially apparent in organizations that have only adopted the Data Governance 1.0 approach in which DG is siloed from the wider organization and viewed as an “IT-problem.” Such an approach denies data governance initiatives the business contexts needed to function in a data-driven organization.

Data governance is based primarily on three bodies of knowledge: the data dictionary, business glossary and data usage catalog. For these three bodies of knowledge to be complete, they need input from the wider business.

In fact, countless past cases of failed DG implementations can be attributed to organizations lacking organizational support for data governance.

For example, leaving IT to document and assemble a business glossary naturally leads to inconsistencies. In this case, IT departments are tasked with creating a business glossary for terms they often aren’t aware of, don’t understand the context of, or don’t recognize the applications or implications for.

This approach preemptively dooms the initiative, ruling out the value-adding benefits of mature data governance initiatives from the onset.

In erwin’s 2018 State of Data Governance Report, it found that IT departments continue to foot the bill for data governance at 40% of organizations. Budget for data governance comes from the audit and compliance function at 20% of organizations, while the business covers the bill at just 8% of the companies surveyed.

To avoid the aforementioned pitfalls, business leaders need to instill a culture of data governance throughout the organization. This means viewing DG as a strategic initiative and investing in it with inherent organizational and financial support as an on-going practice.

To that end, organizations tend to overvalue the things that can be measured and undervalue the things that cannot. Most organizations want to quantify the value of data governance. As part of a culture shift, organizations should develop a business case for an enterprise data governance initiative that includes calculations for ROI.

By limiting its investment to departmental budgets, data governance must contend with other departmental priorities. As a long-term initiative, it often will lose out to short-term gains.

Of course, this means business leaders need to be heavily invested and involved in data governance themselves – a pillar of data governance readiness in its own right.

Ideally, organizations should implement a collaborative data governance solution to facilitate the organization-wide effort needed to make DG work.

Collaborative in the sense of enabling inter-departmental collaboration so the whole organization’s data assets can be accounted for, but also  in the sense that it works with the other tools that make data governance effective and sustainable – e.g., enterprise architecture, data modeling and business process.

We call this all-encompassing approach to DG an ‘enterprise data governance experience’ or ‘EDGE.’ It’s the Data Governance 2.0 approach, made to reflect how data can be used within the modern enterprise for greater control, context, collaboration and value creation.

To determine your organization’s current state of data governance readiness, take the erwin DG RediChek.

To learn more about the erwin EDGE, reserve your seat for this webinar.

Take the DG RediChek

Categories
erwin Expert Blog

Five Pillars of Data Governance Readiness: Initiative Sponsorship

“Facebook at the center of global reckoning on data governance.” This headline from a March 19 article in The Wall Street Journal sums up where we are. With only two months until the General Data Protection Regulation (GDPR) goes into effect, we’re going to see more headlines about improper data governance (DG) – leading to major fines and tarnished brands.

Since the news of the Facebook data scandal broke, the company’s stock has dropped and Nordea, the largest bank in the Nordic region, put a stop to Facebook investments for three months because “we see that the risks related to governance around data protection may have been severely compromised,” it said in a statement.

Last week, we began discussing the five pillars of data governance readiness to ensure the data management foundation is in place for mitigating risks, as well as accomplishing other organizational goals. There can be no doubt that data governance is central to an organization’s customer relationships, reputation and financial results.

So today, we’re going to explore the first pillar of DG readiness: initiative sponsorship. Without initiative sponsorship, organizations will struggle to obtain the funding, resources, support and alignment necessary for successful implementation and subsequent performance.

A Common Roadblock

Data governance isn’t a one-off project with a defined endpoint. It’s an on-going initiative that requires active engagement from executives and business leaders. But unfortunately, the 2018 State of Data Governance Report finds lack of executive support to be the most common roadblock to implementing DG.

This is historical baggage. Traditional DG has been an isolated program housed within IT, and thus, constrained within that department’s budget and resources. More significantly, managing DG solely within IT prevented those in the organization with the most knowledge of and investment in the data from participating in the process.

This silo created problems ranging from a lack of context in data cataloging to poor data quality and a sub-par understanding of the data’s associated risks. Data Governance 2.0 addresses these issues by opening data governance to the whole organization.

Its collaborative approach ensures that those with the most significant stake in an organization’s data are intrinsically involved in discovering, understanding, governing and socializing it to produce the desired outcomes. In this era of data-driven business, C-level executives and department leaders are key stakeholders.

But they must be able to trust it and then collaborate based on their role-specific insights to make informed decisions about strategy, identify new opportunities, address redundancies and improve processes.

So, it all comes back to modern data governance: the ability to understand critical enterprise data within a business context, track its physical existence and lineage, and maximize its value while ensuring quality and security.

Initiative Sponsorship: Encouraging Executive Involvement

This week’s headlines about Facebook have certainly gotten Mark Zuckerberg’s attention, as there are calls for the CEO to appear before the U.S. Congress and British Parliament to answer for his company’s data handling – or mishandling as it is alleged.

Public embarrassment, Federal Trade Commission and GDPR fines, erosion of customer trust/loyalty, revenue loss and company devaluation are real risks when it comes to poor data management and governance practices. Facebook may have just elevated your case for implementing DG 2.0 and involving your executives.

Initiative Sponsorship Data Governance GDPR

Business heads and their teams, after all, are the ones who have the knowledge about the data – what it is, what it means, who and what processes use it and why, and what rules and policies should apply to it. Without their perspective and participation in data governance, the enterprise’s ability to intelligently lock down risks and enable growth will be seriously compromised.

Appropriately implemented – with business data stakeholders driving alignment between DG and strategic enterprise goals and IT handling the technical mechanics of data management – the door opens to trusting data and using it effectively.

Also, a chief data officer (CDO) can serve as the bridge between IT and the business to remove silos in the drive toward DG and subsequent whole-of-business outcomes. He or she would be the ultimate sponsor, leading the charge for the necessary funding, resources, and support for a successful, ongoing initiative.

Initiative Sponsorship with an ‘EDGE’

Once key business leaders understand and buy into the vital role they play in a Data Governance 2.0 strategy, the work of building the infrastructure enabling the workforce and processes to support actively governing data assets and their alignment to the business begins.

To find it, map it, make sure it’s under control, and promote it to appropriate personnel requires a technology- and business-enabling platform that covers the entire data governance lifecycle across all data producer and consumer roles.

The erwin EDGE delivers an ‘enterprise data governance experience’ to unify critical DG domains, use role-appropriate interfaces to bring together stakeholders and processes to support a culture committed to acknowledging data as the mission-critical asset that it is, and orchestrate the key mechanisms that are required to discover, fully understand, actively govern and effectively socialize and align data to the business.

To assess your organizations current data governance readiness, take the erwin DG RediChek.

To learn more about the erwin EDGE, reserve your seat for this webinar.

Take the DG RediChek

Categories
erwin Expert Blog Data Governance

Data Governance & GDPR: How it Will Affect Your Business

If you’re a data professional, data governance and GDPR are likely at the top of your agenda right now.

Because if your organization exists within the European Union (EU) or trades with the EU, the General Data Protection Regulation (GDPR) will affect your operations.

Despite this fact, only 6% of organizations say they are “completely prepared” ahead of the mandate’s May 25 effective date, according to the 2018 State of Data Governance Report.

Perhaps some solace can be found in that 39% of those surveyed for the report indicate they are “somewhat prepared,” with 27% starting preparations.

But 11% indicate they are “not prepared at all,” and the most damning of revelations is that 17% of organizations believe GDPR does not affect them.

I’m afraid these folks and their organizations are misguided because any company in any industry is within GDPR’s reach. Even if only one EU citizen’s data is included within an organization’s database(s), compliance is mandatory.

So it’s important for organizations to understand exactly what they need to do before the deadline and the potential fines of up to €20 million or 4% of annual turnover, whichever is greater.

How Does GDPR Affect My Business

With the advent of any new regulation, it’s crucial that organizations know which elements of their organization are affected and what they need to do to stay compliant. Regarding the latter, the GDPR requires organizations to have a comprehensive and effective data governance strategy. In terms of the areas affected, organizations need to be aware of the following:

Personally Identifiable Information (PII)

GDPR introduces tighter regulations around the storage, management and transfer of PII. According to the GDPR, personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.

Personal data also comes in many forms and extends to the combination of different data elements that individually are not PII but contribute to PII status when consolidated.

Data governance allows organizations to more easily identify and classify PII and in turn, introduce appropriate measures to keep it safe.

Therefore, a good data governance solution should enable organizations to add and manage metadata – the data about data – regarding a unit of data’s sensitivity. It should also have strong data discoverability capabilities, and the ability to control access to data through user-based permissions.

Active Consent, Data Processing and the Right to Be Forgotten

GDPR also strengthens the conditions for consent, which must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​

Data subjects also have the right to obtain confirmation as to whether their personal data is being processed, where and for what purpose. The data controller must provide a copy of said personal data in an electronic format – free of charge. This change is a dramatic shift in data transparency and consumer empowerment.

The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.

The information and processes required to address these restrictions can be found in the metadata and managed via metadata management tools – a key facet of data governance. Better management of such metadata is key to optimizing an organization’s data processing capabilities. Without such optimization, compliance with the GDPR-granted “right to be forgotten” can become too complex to effictively manage.

Gartner Magic Quadrant

Documenting Compliance and Data Breaches

GDPR also looks to curb data breaches that have become more extensive and frequent in recent years. Data’s value has sky-rocketed, making data-driven businesses targets of cyber threats.

Organizations must document what data they have, where it resides, the controls in place to protect it, and the measures that will be taken to address mistakes/breaches. In fact, data breach notification is mandatory within 72 hours if that breach is likely to “result in risk for the rights and freedoms of individuals.”

A comprehensive data governance strategy encompasses and enables the documentation process outlined above. However, a data governance strategy decreases the likelihood of such breaches occurring as it provides organizations with greater insight as to which data should be more closely guarded.

Data Governance and GDPR Compliance

Based on the results of the State of DG Report referenced at the beginning of this post, organizations aren’t as GDPR-ready as they should be. But there’s still time to act.

Data governance and GDPR go hand in hand. A strong data governance program is critical to the data visibility and categorization needed for GDPR compliance. And it will help in assessing and prioritizing data risks and enable easier verification of compliance with GDPR auditors.

Data governance enables an organization to discover, understand, govern and socialize its data assets – not just within IT but across the entire organization. Not only does it encompass data’s current iteration but also its entire lineage and connections through the data ecosystem.

Understanding data lineage is absolutely necessary in the context of GDPR. Take the right to be forgotten, for example. Such compliance requires an organization to locate all an individual’s PII and any information that can be cross-referenced with other data points to become PII.

With the right data governance approach and supporting technology, organizations can ensure GDPR compliance with their current, as-is architecture and data assets – and ensure new data sources and/or changes to the to-be architecture incorporate the appropriate controls.

Stakeholders across the enterprise need to be GDPR aware and enabled so that compliance is built in at a cultural level.

For more information about increasing your expertise in relation to data governance and GDPR, download our guide to managing GDPR with data governance.

Data Governance, GDPR and Your Business

Categories
erwin Expert Blog

State of DG: Shocking Number of Organizations Unprepared for GDPR, Is Yours?

The General Data Protection Regulation (GDPR) goes into effect in May, but a new study reveals that most organizations are overwhelmingly unprepared.

The State of Data Governance Report finds that only 6% of respondents consider themselves completely prepared for GDPR. That means a shocking 94% of the organizations surveyed are not ready for what is one of the most important data privacy and security regulations passed in recent years.

Failure to implement data governance (DG) to comply with GDPR will leave these organizations liable for fines of up to €20 million or 4% annual global turnover – whichever is greater.

But the news isn’t all bad; promising signs can be found. Although 46% of those surveyed indicate having “no formal strategy” in place for DG, 42% describe their data governance initiatives as a “work in progress.”

State of DG: Regulatory Compliance Driving Data Governance

Historically, data governance has left a lot to be desired. The value and ROI were insignificant to non-existent, and so executive buy-in and funding also has been low.

Business leaders usually left DG to their IT departments, but that created silos that cut off DG from it’s day to day “data owners” and “data stakeholders,” – in essence, everybody that uses data to drive business. With poor data discovery, lineage and context, data governance was largely abandoned or at least out of sight, out of mind.

Forty-two percent of the organizations participating in the State of DG Report survey indicate that lack of executive support is still a roadblock. But GDPR is spurring new interest in DG because companies must articulate what their data is, where it resides, what controls are in place to protect it, and the measures they will use to address mistakes/breaches.

An effective data governance initiative is critical for the data visibility and categorization needed to comply with GDPR. It also will help assess and prioritize data risks and enable easier verification of GDPR compliance to auditors.

Perhaps this is why 66% of those surveyed for the State of DG Report say understanding and governing enterprise assets has become more important or very important for their executives. And regulatory compliance is in fact the No. 1 driver for data governance.

State of DG: Implementing Data Governance for GDPR

It’s safe to say that organizations should be much further along with GDPR than they are.

The biggest challenge is to establish compliance with their current data architectures and then to build GDPR compliance into the processes for designing and deploying new data sources.

This requires visibility into the strategic roadmap and well-defined processes to govern new data deployments so that constant GDPR retrofits aren’t required.

Thankfully data governance has evolved from a siloed, IT-owned program primarily for data cataloging to support search and discovery. It has given way to proactive, enterprise-wide data governance to support regulatory compliance in addition to data-driven insights for achieving other organizational objectives.

Data Governance 2.0 understands that CTOs, CMOs and other C-level executives and business leaders across the enterprise are involved in data creation, management and use on a day-to-day basis. And GDPR compliance requires that all stakeholders be aware and empowered so that data governance is built in, and part of the culture.

By integrating data governance with enterprise architecture, business process and data modeling, you’ll have a GDPR compliance framework to:

  • Discover and harvest data assets
  • Classify data and create a GDPR inventory
  • Perform GDPR risk analysis
  • Define GDPR controls and standard operating procedures
  • Socialize and apply GDPR requirements across the organization
  • Implement GDPR controls into IT and business roadmaps for “compliance by design”
  • Prove compliance/respond to audits

Is your organization GDPR-ready?

Click here to get your State of DG Report to see how your organization compares to those we surveyed.

Of if you’d like to discuss how to improve your GDPR readiness with one of our solution specialists, click here.

State of DG: Get the full report

Categories
erwin Expert Blog

Data Governance 2.0 for Financial Services

The tempo of change for data-driven business is increasing, with the financial services industry under particular pressure. For banks, credit card, insurance, mortgage companies and the like, data governance must be done right.

Consumer trust is waning across the board, and after several high-profile data breaches, trust in the way in which organizations handle and process data is lower still.

Equifax suffered 2017’s largest breach and the fifth largest in history. The subsequent plummet in stock value should have sent a stark warning to other financial service organizations. As of November, the credit bureau reported $87.5 million in expenses following the breach, and the PR fallout plummeted profits by 27 percent.

But it could be said that Equifax was lucky. If the breach had occurred following the implementation of the General Data Protection Regulation (GDPR), it also would have been hit with hefty sanctions. Come May of 2018, fines for GDPR noncompliance will reach an upper limit of €20 million or 4 percent of annual turnover – whichever is greater.

Data governance’s purpose – knowing where your data is and who is accountable for it – is a critical factor in preventing such breaches. It’s also a prerequisite for compliance as organizations need to demonstrate they have taken reasonable precautions in governing.

Equifax’s situation clearly implies that financial services organizations need to review and improve their data governance. As a concept, data governance for regulatory compliance is widely understood. Such regulations were introduced a decade ago in response to the financial crisis.

However, data governance’s role goes far beyond just preventing data breaches and meeting compliance standards.

Data Governance 2.0 for Financial Services

Data governance has struggled to gain a foothold because the value-adds have been unclear and largely untested. After new regulations for DG were introduced for the financial services industry, most organizations didn’t bother implementing company-wide approaches, instead opting to leave it as an IT-managed program.

So IT was responsible for cataloging data elements to support search and discovery, yet they rarely knew which bits of data were related or important to the wider business. This resulted in poor data quality and completeness, and left data and its governance siloed so data-driven business was hard to do.

Now data-driven business is more common – truly data-driven business with data at the core of strategy. The precedent has been set thanks to Airbnb, Amazon and Uber being some of the first businesses to use data to turn their respective markets on their heads.

These businesses don’t just use data to target new customers, they use data to help dictate strategy, find new gaps in the market, and highlight areas for performance improvement.

With that in mind, there’s a lot the financial services industry can learn and apply. FinTech start-ups continue to shake up the sector, and although the financial services industry is a more difficult industry to topple, traditional financial organizations need to innovate to stay competitive.

Alongside compliance, the aforementioned purpose of DG – knowing where data is stored and who is accountable for it – is also a critical factor in fostering agility, squashing times to market, and improving overall business efficiency, especially in the financial services industry.

In fact, the biggest advantage of data governance for financial services is making quality and reliable data readily available to the right people, so the right decisions can be made faster. Good DG also helps these companies better capitalize on revenue opportunities, solve customer issues, and identify fraud while improving the standard for reporting on such data.

These benefits are especially important within financial services because their big decisions have big financial impacts. To make such decisions, they need to trust that the data they use is sound and efficiently traceable.

Such data accountability is paramount. To achieve it, organizations must move away from the old, ineffective Data Governance 1.0 approach to the collaborative, outcome-driven Data Governance 2.0.

This means introducing data governance to the wider business, not just leaving it to IT. It means line-of-business managers and C-level executives take leading roles in data governance. But most importantly, it means a more efficient approach to data-driven business for increased revenue. A BCG study implies that financial services could be leaving up to $30 billion on the table.

Although the temptation to just meet regulatory compliance might be strong, the financial services industry clearly has a lot to gain from taking the extra step. Therefore, new regulations don’t have to be seen as a burden but as a catalyst for greater, proactive and forward-thinking change.

For more best practices in business and IT alignment, and successfully implementing data governance, click here.

Data governance is everyone's business

Categories
erwin Expert Blog

Enterprise Architecture for GDPR Compliance

With the May 2018 deadline for the General Data Protection Regulation (GDPR) fast approaching, enterprise architecture (EA), should be high on the priority list for organizations that handle the personal data of citizens in any European Union state.

GDPR compliance requires an overview of why and how personal data is collected, stored, processed and accessed. It also extends to third-party access and determining – within reason – what internal or external threats exist.

Because of EA’s holistic view of an organization and its systems, enterprise architects are primed to take the lead.

Enterprise Architecture for GDPR

Enterprise architecture for GDPR: Data privacy by design

The fragmented nature of data regulation and the discrepancies in standards from country to country made GDPR inevitable. Those same discrepancies in standards make it very likely that come May 2018, your organization will be uncompliant if changes aren’t made now.

So, organizations have two issues to tackle: 1) the finding problem and 2) the filing problem.

First, organizations must understand where all the private, personal and sensitive data is within all their systems . This also includes all the systems within their respective value chains. Hence, the finding problem.

Second, organizations must address the filing problem, which pertains to how they process data. As well as being a prerequisite for GDPR compliance, tackling the filing problem is essentially a fix to ensure the original finding problem is never as much of a headache again.

Starting with business requirements (A) and working through to product application (B), organizations have to create an environment whereby data goes from A to B via integral checkpoints to maintain data privacy.

This ensures that through every instance of the application development lifecycle – analysis, design, development, implementation and evaluation – the organization has taken all the necessary steps to ensure GDPR standards are met.

Enterprise architecture provides the framework of data privacy by design. By understanding how your organization’s systems fit together, you’ll see where data is as it moves along the application development lifecycle.

Enterprise architecture for GDPR: The benefits of collaboration

Of course, one of the requirements of GDPR is that compliance and all the steps to it can be demonstrated. Dedicated EA tools have the capacity to model the relevant information.

A dedicated and collaborative enterprise architecture tool takes things to the next level by  simplifying the export and sharing of completed models.

But there’s more. Truly collaborative EA tools allow relevant stakeholders (department heads, line managers) directly involved in handling the data of interest to be involved in the modeling process itself. This leads to more accurate reporting, more reliable data, and faster turnaround, all of which have a positive effect on business efficiency and the bottom line.

Approaching GDPR compliance with enterprise architecture does more than complete a chore or tick a box.  It becomes an opportunity for constant business improvement.

In other words, organizations can use enterprise architecture for GDPR as a catalyst for deeper, proactive digital transformation.

erwin partner Sandhill Consultants has produced a three-part webinar series on Navigating the GDPR Waters.

The first webinar covers the identification and classification of personally identifiable information and sensitive information and technologies, such as enterprise architecture, that can assist in identifying and classifying this sort of data.

Click here to access this webinar.

erwin blog

Categories
erwin Expert Blog

GDPR guide: Preparing for the new changes

EA GDPR padlock

By now many businesses would have already heard about the new General Data Protection Regulation legislation. But knowing is only half the battle. That’s why we’ve put together this GDPR guide. 

Continue reading “GDPR guide: Preparing for the new changes”
Categories
erwin Expert Blog

GDPR guide: Do you know about the change?

The countdown has begun to one of the biggest changes in data protection, but how much do you know about GDPR? In a series of articles throughout February we will explain the essential information you need to know and what you need to be doing now.

What is GDPR?

It stands for General Data Protection Regulation and it’s an EU legal framework which will apply to UK businesses from 25 May 2018. It’s a new set of legal requirements regarding data protection which adds new levels of accountability for companies, new requirements for documenting decisions and a new range of penalties if you don’t comply.

It’s designed to enable individuals to have better control of their own personal data.

While the law was ratified in 2016, countries have had a two-year implementation period which means businesses must be compliant by 2018.

Key points of GDPR

The changes to data protection will be substantial as will be the penalties for failure to comply. It introduces concepts such as the right to be forgotten and formalises data breach notifications.

GDPR will ensure a regularity across all EU countries which means that individuals can expect to be treated the same in every country across Europe.

How to comply

EU GDPR padlockFor processing personal data to be legal under GDPR businesses need to show that there is a legal basis as to why they require personal data and they need to document this reasoning.

GDPR states that personal data is any information that can be used to identify an individual. This means that, for the first time, it includes information such as genetic, mental, cultural, economic or social information.

To ensure valid consent is being given, businesses need to ensure simple language is used when asking for consent to collect personal data. Individuals must also have a clear understanding as to how the data will be used.

Furthermore, it is mandatory under the GDPR for businesses to employ a Data Protection Officer. This applies to public authorities and other companies where their core activities require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data”.

Data Protection Officers will also be required to complete Privacy Impact Assessment and give notification of a data breach within 72 hours.

The impact of Brexit

At this stage it is unknown how the UK exiting the European Union will affect GDPR. However, with Article 50 yet to be triggered – the exit from the European Union is still over two years away and as such the UK will still be part of the EU in 2018. This means that businesses must comply with GDPR when it comes into force.

Penalties for non-compliance

Penalties for failing to meet the requirements of GDPR could lead to fines of up to €20 million or 4% of the global annual turnover of the company for the previous year, whichever is higher. This high level of financial penalty could mean could have a serious impact on the future of a business.

Over the coming month, we will continue this series looking at how to get started preparing for GDPR now, why you need a Data Protection Officer and how GDPR will affect your international business.

Download the White Paper The Business Value of Data Modeling for Data Governance