Categories
erwin Expert Blog Data Governance

Data Governance & GDPR: How it Will Affect Your Business

If you’re a data professional, data governance and GDPR are likely at the top of your agenda right now.

Because if your organization exists within the European Union (EU) or trades with the EU, the General Data Protection Regulation (GDPR) will affect your operations.

Despite this fact, only 6% of organizations say they are “completely prepared” ahead of the mandate’s May 25 effective date, according to the 2018 State of Data Governance Report.

Perhaps some solace can be found in that 39% of those surveyed for the report indicate they are “somewhat prepared,” with 27% starting preparations.

But 11% indicate they are “not prepared at all,” and the most damning of revelations is that 17% of organizations believe GDPR does not affect them.

I’m afraid these folks and their organizations are misguided because any company in any industry is within GDPR’s reach. Even if only one EU citizen’s data is included within an organization’s database(s), compliance is mandatory.

So it’s important for organizations to understand exactly what they need to do before the deadline and the potential fines of up to €20 million or 4% of annual turnover, whichever is greater.

How Does GDPR Affect My Business

With the advent of any new regulation, it’s crucial that organizations know which elements of their organization are affected and what they need to do to stay compliant. Regarding the latter, the GDPR requires organizations to have a comprehensive and effective data governance strategy. In terms of the areas affected, organizations need to be aware of the following:

Personally Identifiable Information (PII)

GDPR introduces tighter regulations around the storage, management and transfer of PII. According to the GDPR, personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.

Personal data also comes in many forms and extends to the combination of different data elements that individually are not PII but contribute to PII status when consolidated.

Data governance allows organizations to more easily identify and classify PII and in turn, introduce appropriate measures to keep it safe.

Therefore, a good data governance solution should enable organizations to add and manage metadata – the data about data – regarding a unit of data’s sensitivity. It should also have strong data discoverability capabilities, and the ability to control access to data through user-based permissions.

Active Consent, Data Processing and the Right to Be Forgotten

GDPR also strengthens the conditions for consent, which must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​

Data subjects also have the right to obtain confirmation as to whether their personal data is being processed, where and for what purpose. The data controller must provide a copy of said personal data in an electronic format – free of charge. This change is a dramatic shift in data transparency and consumer empowerment.

The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.

The information and processes required to address these restrictions can be found in the metadata and managed via metadata management tools – a key facet of data governance. Better management of such metadata is key to optimizing an organization’s data processing capabilities. Without such optimization, compliance with the GDPR-granted “right to be forgotten” can become too complex to effictively manage.

Gartner Magic Quadrant

Documenting Compliance and Data Breaches

GDPR also looks to curb data breaches that have become more extensive and frequent in recent years. Data’s value has sky-rocketed, making data-driven businesses targets of cyber threats.

Organizations must document what data they have, where it resides, the controls in place to protect it, and the measures that will be taken to address mistakes/breaches. In fact, data breach notification is mandatory within 72 hours if that breach is likely to “result in risk for the rights and freedoms of individuals.”

A comprehensive data governance strategy encompasses and enables the documentation process outlined above. However, a data governance strategy decreases the likelihood of such breaches occurring as it provides organizations with greater insight as to which data should be more closely guarded.

Data Governance and GDPR Compliance

Based on the results of the State of DG Report referenced at the beginning of this post, organizations aren’t as GDPR-ready as they should be. But there’s still time to act.

Data governance and GDPR go hand in hand. A strong data governance program is critical to the data visibility and categorization needed for GDPR compliance. And it will help in assessing and prioritizing data risks and enable easier verification of compliance with GDPR auditors.

Data governance enables an organization to discover, understand, govern and socialize its data assets – not just within IT but across the entire organization. Not only does it encompass data’s current iteration but also its entire lineage and connections through the data ecosystem.

Understanding data lineage is absolutely necessary in the context of GDPR. Take the right to be forgotten, for example. Such compliance requires an organization to locate all an individual’s PII and any information that can be cross-referenced with other data points to become PII.

With the right data governance approach and supporting technology, organizations can ensure GDPR compliance with their current, as-is architecture and data assets – and ensure new data sources and/or changes to the to-be architecture incorporate the appropriate controls.

Stakeholders across the enterprise need to be GDPR aware and enabled so that compliance is built in at a cultural level.

For more information about increasing your expertise in relation to data governance and GDPR, download our guide to managing GDPR with data governance.

Data Governance, GDPR and Your Business

Categories
erwin Expert Blog

Understanding and Justifying Data Governance 2.0

In the past, justifying data governance was notoriously difficult. The siloed nature of Data Governance 1.0, and its lack of focus on adding value meant buy-in was low.

While housing data governance (DG) within IT might have made sense in its early stage, data and data governance has evolved.

Today, we generate a staggering 2.5 quintillion bytes of data per day. With growing regulatory demands and the opportunities of infonomics, data search and discovery from an IT silo aren’t enough.

Data governance as a practice, and the solutions that power it, must be part of an organization’s culture to ensure the people and departments that use data are involved in its discovery, understanding, governance and socialization for peak performance.

So, how do you go about justifying data governance as an enterprise-wide initiative?

Justifying Data Governance – The Roadblocks

First, we must look at the shortcomings of the Data Governance 1.0 approach that are clearly reflected in the 2018 State of Data Governance Report. The lack of executive support is cited as the most common roadblock to implementing data governance at 42%, with a lack of organizational support closely following at 39%.

For data-driven enterprises, executives arguably have the biggest stake in improving DG practices. Decisions surrounding strategic direction – e.g., emerging markets to target, insights into operational efficiency, performance of marketing campaigns – are best made with accurate data.

By implementing a sound data governance initiative, data availability and context improves so employees – from executives to the front line – can make better and faster decisions. Additionally, decisions will be made with more confidence, knowing the data can be trusted. As a result, there will be fewer risks, false starts and wasted budgets on projects doomed to fail because they were based on faulty premises.

The State of DG Report also found a lack of effective tools to be another roadblock to successfully implementing data governance. This is no surprise because they weren’t built with collaboration in mind.

As mentioned, the data produced by modern society – and business – is staggering, and it permeates the whole business. Furthermore, data regulations – such as GDPR – demand that organizations understand their data lineage, being able to show who has access to what.

Governing massive volumes of data and being able to demonstrate its lineage from department to department and employee to employee fundamentally requires a collaborative approach.

Another area in which Data Governance 1.0 fell short was in articulating a business case. Of the organizations surveyed for the State of DG Report, 27% say this as a roadblock to successful data governance.

Those frustrations are understandable, as DG 1.0 wasn’t conceived for proactively adding value. But DG 2.0 has opened significant opportunities for organizations to add value, so data governance is easier to justify as a means of identifying and implementing new ideas and improvements more quickly.

For example, financial services companies stand to generate $30 billion in extra revenue through better governance of their data.

Justifying Data Governance – A New Direction

Data Governance 2.0 ploughs through the roadblocks associated with old-school DG.

It takes an enterprise-wide approach to ensure data governance really works, meaning “data owners” and “data stakeholders” are involved in the cataloging process. Everyone benefits from having access to data in context to their roles with a better grasp of its history and lineage.

Of course, regulatory compliance is the main driver for revisiting or implementing a DG initiative. However, the benefits of data governance go well beyond GDPR compliance. Better data quality, context and lineage lead to greater customer satisfaction, improved decision-making and the ability to maintain or even enhance an organization’s reputation – all mentioned as reasons to implement DG in the State of DG Report.

Indeed, understanding and governing enterprise assets has become more important to the C-suite. And DG 2.0 presupposes that CTOs in addition to CFOs, CMOs and other business executives are involved in data management on a day-to day basis. Therefore, they have to be part of the initiative and enabled to share information for agile innovation and business transformation.

It’s clear this new, proactive take on data governance is catching on. The hyper-competitive nature of data-driven business demands it – with or without the threat of GDPR penalties.  Organizations reluctant or slow to adopt Data Governance 2.0 will be left behind.

To get the full State of DG Report, including survey results and insights, click here.

State of DG: Get the full report

Categories
erwin Expert Blog

State of DG: Shocking Number of Organizations Unprepared for GDPR, Is Yours?

The General Data Protection Regulation (GDPR) goes into effect in May, but a new study reveals that most organizations are overwhelmingly unprepared.

The State of Data Governance Report finds that only 6% of respondents consider themselves completely prepared for GDPR. That means a shocking 94% of the organizations surveyed are not ready for what is one of the most important data privacy and security regulations passed in recent years.

Failure to implement data governance (DG) to comply with GDPR will leave these organizations liable for fines of up to €20 million or 4% annual global turnover – whichever is greater.

But the news isn’t all bad; promising signs can be found. Although 46% of those surveyed indicate having “no formal strategy” in place for DG, 42% describe their data governance initiatives as a “work in progress.”

State of DG: Regulatory Compliance Driving Data Governance

Historically, data governance has left a lot to be desired. The value and ROI were insignificant to non-existent, and so executive buy-in and funding also has been low.

Business leaders usually left DG to their IT departments, but that created silos that cut off DG from it’s day to day “data owners” and “data stakeholders,” – in essence, everybody that uses data to drive business. With poor data discovery, lineage and context, data governance was largely abandoned or at least out of sight, out of mind.

Forty-two percent of the organizations participating in the State of DG Report survey indicate that lack of executive support is still a roadblock. But GDPR is spurring new interest in DG because companies must articulate what their data is, where it resides, what controls are in place to protect it, and the measures they will use to address mistakes/breaches.

An effective data governance initiative is critical for the data visibility and categorization needed to comply with GDPR. It also will help assess and prioritize data risks and enable easier verification of GDPR compliance to auditors.

Perhaps this is why 66% of those surveyed for the State of DG Report say understanding and governing enterprise assets has become more important or very important for their executives. And regulatory compliance is in fact the No. 1 driver for data governance.

State of DG: Implementing Data Governance for GDPR

It’s safe to say that organizations should be much further along with GDPR than they are.

The biggest challenge is to establish compliance with their current data architectures and then to build GDPR compliance into the processes for designing and deploying new data sources.

This requires visibility into the strategic roadmap and well-defined processes to govern new data deployments so that constant GDPR retrofits aren’t required.

Thankfully data governance has evolved from a siloed, IT-owned program primarily for data cataloging to support search and discovery. It has given way to proactive, enterprise-wide data governance to support regulatory compliance in addition to data-driven insights for achieving other organizational objectives.

Data Governance 2.0 understands that CTOs, CMOs and other C-level executives and business leaders across the enterprise are involved in data creation, management and use on a day-to-day basis. And GDPR compliance requires that all stakeholders be aware and empowered so that data governance is built in, and part of the culture.

By integrating data governance with enterprise architecture, business process and data modeling, you’ll have a GDPR compliance framework to:

  • Discover and harvest data assets
  • Classify data and create a GDPR inventory
  • Perform GDPR risk analysis
  • Define GDPR controls and standard operating procedures
  • Socialize and apply GDPR requirements across the organization
  • Implement GDPR controls into IT and business roadmaps for “compliance by design”
  • Prove compliance/respond to audits

Is your organization GDPR-ready?

Click here to get your State of DG Report to see how your organization compares to those we surveyed.

Of if you’d like to discuss how to improve your GDPR readiness with one of our solution specialists, click here.

State of DG: Get the full report