Relevance of Data Governance in the General Data Protection Regulation
Since the 2008 financial crisis, Data Governance has become a hot topic within the banking and insurance industries due to Basel regulations for banking and Solvency regulations for insurance companies (source 1). Gartner predicts that 90% of large organizations will have hired a Chief Data Officer by 2019 (source 2). This indicates that Data Governance is being prioritized. This could be ascribed to requirements from regulation. In May 2018 another EU data regulation, the General Data Protection Regulation, will go into effect, impacting organizations of all industries where personal data is a significant part of their business and operations.
This article shares insights from EVRY’s GDPR Maturity Assessments towards clients, which is the second step of EVRYs five-step GDPR approach. The GDPR aims to strengthen consumer privacy rights and improve data mobility within Europe (source 3), and as we have discovered, also sets requirements on organizations’ data governance. Essentially the GDPR provides a unique opportunity to prioritize your data governance. This article shares practical insights from EVRY’s GDPR Maturity Assessments, of how to resolve these issues.
Data Governance in this article is defined as the structuring of Data Management roles, accountability and responsibilities within an organization. Through conducting GDPR Maturity Assessments with clients (more detail below), we’ve also learned that data governance is:
- Recognized as essential in becoming GDPR compliant
- An old problem
- One of the first GDPR problems that should be tackled
Role of the Data Protection Officer
In fact, the GDPR places several requirements for data governance on an organization, such as managing accountabilities and responsibilities between controllers, processors, and sub-processors. The GDPR also assigns a new role for overseeing GDPR-compliance in an organization; the Data Protection Officer (DPO). From a governance perspective, the DPO stands at the centre of the GDPR. The DPO has the responsibility (but not accountability) for assessing the extent to which the organization is taking the right measures to become GDPR compliant. These responsibilities include leading Data Protection Impact Assessments and making recommendations on how to become or stay compliant. The organization must either follow these recommendations or ensure their objections to these recommendations are formally noted.
The GDPR also stipulates that the DPO must in no way be obstructed from guiding the organization towards compliance. As a matter of fact, the organization carries the responsibility to enable the DPO in his/her activities. Effectively the DPO is a GDPR auditor, while accountability remains with the organization.
In order to meet these requirements, the ownership and stewardship of the Data Management of personal information (Metadata Management, Master Data Management, Data Quality, and so on) must be resolved. After all, if compliance is not achieved, clarity must exist on who is accountable or responsible for failure of adhering to the regulation requirements.
First insights from GDPR Maturity Assessments
The first results from the GDPR Maturity Assessments indicate data governance as one of the most important GDPR challenges. Other challenges include embedding a solid Master Data Management lifecycle structure, and dealing with unstructured data (e.g. pictures or audio files).
Organizations should be wary of internal over-confidence of the organization's capabilities, and make sure awareness of their own responsibilities and accountabilities are sufficiently grounded. Without coordinated efforts, led from the top, the organization risks silo-based thinking, as depicted below.
If left unhandled, these issues may cause challenges for the DPO. Without clarifying the coordination effort, responsibilities, and mandate, both architects and system owners run the risk of independently choosing conflicting directions for data protection. This can result in inefficiencies or worse; non-compliance. Carefully thought-through data governance should resolve these issues. It falls upon the DPO to advise its own organization on how to resolve these data governance issues. However, “how” remains an open question.
Inspiration from the Data Management Body of Knowledge on Data Governance
One place to look for answers is "Data Management Body of Knowledge"(source 4) from DAMA International (DAMA DMBOK). DMBOK is a framework suggest the concept of Data Management Office as a tactical body within the organization. Experience from the financial services industry in Europe where DMBOK concepts have been adopted, shows that the Data Management Office typically has the following roles in its scope:
- A (Chief) Data Officer with a direct link to top executives and responsibility for
the organization’s Data Policy
- A (Business) Information Owner representative, e.g. HR for employee data,
- A Data Quality Controller,
- An Executive Data Steward,
- A Lead Architect,
- Change Leadership,
- Programme Leadership,
- Risk Management Leadership.
The Data Protection Officer may be a new relevant actor within the Data Management Office as well.
The aforementioned roles of the Data Management Office usually already exist in a fragmented way, but they may not have a central platform that ensures that they communicate, coordinate, and manage together, which would effectively break down any inefficient and superfluous silo-based activities. As shown in the figure below, the Data Management Office allows for a more targeted division of responsibilities on the operational side as well, from Data Production to Report Ownership.
The unexpected upsides of Data Governance
Unorganized Data Governance is an old problem that many organizations have put off for too long. Besides giving European citizens more extensive privacy rights, the GDPR grants organizations a unique opportunity to handle old Data Management issues. For many leaders, this is a potentially painful but necessary change they must prioritize. Once the bitter medicine of a well-structured Data Governance has been implemented, the organization achieves more than just GDPR-compliance. The organization will also have increased their data-driven manoeuvrability and effectiveness, enabling use of cognitive intelligence, artificial intelligence, and machine-learning tools. Use the momentum of the GDPR, and reap the benefits.
Author: Geoffrey van IJzendoorn, EVRY
(3) "Trust in the Personal Data Economy" (EVRY, May 2017)
Interessert i mer informasjon?