First insights from EVRY’s GDPR Maturity Assessments at clients
Relevance of Data Governance in the General Data Protection Regulation
Since the 2008 financial crisis, Data Governance has become a hot topic within the banking and insurance industries due to Basel regulations for banking and Solvency regulations for insurance companies. Gartner predicts that 90% of large organizations will have hired a Chief Data Officer by 2019. This is a key indicator for Data Governance, which could be ascribed to requirements from regulations, but also to the need to deal with data leakages and ransomware issues. In May 2018 another EU data regulation, the General Data Protection Regulation, will go into effect, impacting organizations of all industries where personal data is a significant part of their business and operations. This article shares insights from EVRY’s GDPR Maturity Assessments at clients and a first step towards compliance. Besides the strengthening of consumer privacy rights and improved data mobility within Europe, the GDPR sets requirements on organizations’ data governance. Essentially the GDPR provides a unique opportunity to prioritize your data governance. This article shares practical insights from EVRY’s GDPR Maturity Assessments, of how to resolve these issues.
Data Governance in this article is defined as the structuring of Data Management roles, accountability and responsibilities within an organization. Through conducting GDPR Maturity Assessments with clients (more detail below), we’ve also learned that data governance is:
- Recognized as essential in becoming GDPR compliant
- An old problem
- One of the first GDPR problems that should be tackled.
Role of the Data Protection Officer
Some examples of direct requirements from the GDPR on organizational level are
1) the dynamics between the consumer-faced companies (i.e. Controllers) and Business-to-Business companies providing personal data processing services to these consumer-faced companies (i.e. Processors), but especially
2) the role of the Data Protection Officer.
From a governance perspective, the Data Protection Officer (DPO) stands at the centre of the GDPR. The DPO has the responsibility (but not accountability) to assess the extent to which the organization is taking the right measures to become GDPR compliant, i.e. leading Data Protection Impact Assessments, and making recommendations on how to become or stay compliant. The organization must either follow these recommendations or ensure their objections to these recommendations are formally noted.
The GDPR also stipulates that the DPO must in no way be obstructed in guiding the organization towards compliance. As a matter of fact, the organization carries the responsibility to enable the DPO in his/her activities, giving the DPO access to an overview of relevant initiatives. Effectively the DPO is a GDPR auditor, while accountability remains with the organization.
Indirectly the ownership and stewardship of the Data Management of personal information (Metadata Management, Master Data Management, Data Quality, and so on) must be resolved. After all, when compliance is not achieved, clarity must exist on who is accountable or responsible for failure of adhering to the regulation requirements.
First insights from GDPR Maturity Assessments
Based on first results of GDPR maturity assessments at EVRY’s clients, data governance is one of the first topics of which clients indicate that the maturity is not sufficient for GDPR compliance. Other issues include embedding a solid master data management lifecycle structure, and dealing with personal unstructured data (e.g. pictures or audio files). From a data governance perspective, the results show issues of internal over-confidence of the organization’s capabilities, and a lack of awareness of own responsibilities and accountability. Often, the accountable employees at top management level say IT will ensure GDPR compliance, without proactively involving themselves. Additionally, without coordinated efforts, led from the top, the organization risks silo-based thinking, as depicted below.
The DPO, consequently, struggles with this over-confidence, lack of involvement, and silo-based thinking. Without clarifying the coordination effort, responsibilities and mandate, both architects and system owners run the risk of independently choosing conflicting directions for data protection. This results in inefficiencies or worse: non-compliance. Carefully thought-through data governance should resolve these issues. In the cases from the GDPR maturity assessments, the DPO would soon after the assessment advise its own organization to resolve the data governance issue. However, “how” remains an open question.
Inspiration from the Data Management Body of Knowledge on Data Governance The ‘Data Management Body of Knowledge’ from DAMA International (DAMA DMBOK) is a framework that provides possible Data Governance solutions. The framework names the concept of a Data Management Office on tactical level. The financial services industry in Europe, where DMBOK concepts have been adopted, shows that the Data Management Office can include or has close contact with the following roles:
- A (Chief) Data Officer with a direct link to top executives and responsible for the organization’s Data Policy
- A (Business) Information Owner representative, e.g. HR for employee data,
- A Data Quality Controller,
- An Executive Data Steward,
- A Lead Architect,
- Change Leadership,
- Programme Leadership,
- Risk Management Leadership.
The Data Protection Officer may be a new relevant actor within the Data Management Office as well. Additionally, change leadership, as the GDPR also specifies, is of high importance. Change leadership best ensures the organization to adapt continuously to any new regulation or another new business-driver that impacts the organization.
On the operational side, when looking at a simplified data architecture, additional roles play a part:
- Data Producers, entering the data into the sources
- A variety of Data Stewards, such as those leading other data stewards or handling the data flow from source to report including the data quality in their own systems
- Report owners, who provide the information requirements and may also act as business information owner for their specific business area
The operational roles, each with a fragmented overview, usually already exist in organizations in one form or another. However, they may have not yet been formalized through a Data Governance perspective, nor do they usually know where to find each other or have the complete picture. The coordinating roles of the Data Management Office usually also exist in a fragmented way, but they may not have a central platform that ensures they communicate, coordinate and manage together, effectively breaking down inefficient and superfluous silo-based activities.
Data Governance is a necessity for the GDPR, but with a broader positive impact
Unorganized Data Governance is an old problem that many organizations have put off for too long. Besides the service the GDPR provides to European citizens through more extensive privacy rights, it is a unique opportunity for organizations to handle old Data Management issues. For many leaders, this is a potentially painful but necessary change they must prioritize. Once the bitter medicine of a well-structured Data Governance has been taken, however, consequently the organization will not only be compliant, protecting personal privacy of citizens. On a broader Data Management scale – broader than just managing personal data but also all other areas of Data Management –, it will also have taken a crucial step towards an increased strategic data-based manoeuvrability and effectiveness. Use the momentum of the GDPR, and reap the benefits.
Author: Geoffrey van IJzendoorn, EVRY