GDPR, big data and data governance
Cries, tears, a lot of emotions with constant glances towards the calendar …
At the risk of disappointing you, we are not talking about presales of tickets for U2’s next world tour but GDPR! In the weeks leading up to May 25, 2018, we witnessed a surge of pressure around this sacrosanct conformity that seemed to have taken everyone by surprise. Yet, its implementation was planned for at least 2 years! Now that the flood of messages on the update of the terms of use has calmed down and the excitement has passed, it is time to take a step back on this subject. GDPR, big data and data governance, let’s unpack all this.
GDPR: 1 regulation, 99 articles and 1001 questions
GDPR… what is it exactly? GDPR stands for General Data Protection Regulation. We sometimes see the acronym GDPR in certain articles. It’s the same thing, it’s just the English term (General Data Protection Regulation). It is therefore a law that applies to all companies processing the personal data of European citizens, even if these companies are not European. It is a reference text that seeks to give more control and transparency to the way personal data is collected, processed and stored by companies. In this sense, the GDPR is a minor revolution, as it imposes important changes on the way that data must be used. This includes any information that directly or indirectly identifies a person. We naturally think of email, but also personal details, photographs, banking information, IP addresses, phone numbers, online account credentials, etc.
What changes with the GDPR:
- Data must be collected lawfully, fairly and transparently;
- The data must be used for specified, explicit and legitimate purposes;
- Stored data enabling the identification of the data subjects must be stored only for as long as necessary;
- The data must be accurate and, if necessary, kept up-to-date;
- The data must be processed so as to ensure appropriate security.
Data privacy: how does it impact data processing?
Data, all companies manage it: personal information of employees, customer contacts, sales follow-ups of prospects, information suppliers, etc. The GDPR therefore imposes the creation of a “Data Privacy” entity or team to ensure that each service, subsidiary or entity within a company complies with the new regulation. A change that also requires that the data stored with each service be identified. A mapping work for which the Data Privacy team must seek out data from managers, IT project managers, the IT department or the sales and support team. To cope with these changes, the GDPR provides for the creation of a new position in the company: the DPO (Data Protection Officer). This is the contact person who shall advise, train and inform employees (but also support management) in the proper processing of data. The DPO must have legal and technical expertise, must fully understand the workings of the organization and must be associated with projects including personal data. A new “trend” position that can, however, be internalized or outsourced depending on the volume and use of the data.
What if it’s time to upgrade your data management?
All the noise around the GDPR had the merit of putting the issue of personal data at the heart of the debate leading to global and healthy awareness-raising. It was also a way to value the most virtuous companies that did not wait until the last minute to organize. Indeed, the GDPR requires a major overhaul of data management. Both technically and philosophically. Which data for which use? This is the key issue of the GDPR. And it’s also a useful springboard for rethinking your organization. This work on personal data also highlights the many silos that too often exist in organizations, making the mapping and management of personal data time-consuming and complex. To address this, it is necessary to broaden the issue of data management with the introduction of structured baseline data within MDM. A metamanagement system for more structured, better protected and more controlled data. The GDPR stirred up all businesses in spring 2018, and it’s not over yet. This new regulation will still require many weeks or months before it is fully mastered by companies, especially SMEs with limited resources. This work has the merit of opening new doors to better optimization and management of the way in which data impacts the daily activity of the company.