It’s 2018, and with the New Year comes a fresh bout of GDPR-related announcements and warnings from technology, consultancy, and legal firms alike – mostly designed to instil raw fear into anyone responsible for holding or processing data. Do you understand your obligations, and your data (and know where it all is)? Have you done enough? Assuming you do and you have, come May 25th… what about May 26th, when the initial euphoria of being able to demonstrate an adequate level of compliance has worn off? What next?
The European Union’s General Data Protection Regulation (GDPR) grants EU citizens new rights over their personal data – such as access, portability (for their own use, or amongst service providers), rectification, and erasure (aka the “right to be forgotten”); and data controllers (whether EU companies or not) will be bound by specific stipulations governing the validation of an individual’s identity, the timeframe for responding to requests, and the secure transmission of a response. There are also strict requirements to report data breaches, and those headline-grabbing “effective, proportionate, and dissuasive” financial penalties of up to 4% of global revenue for infractions.
Many of the vendors we speak to report that “most” of their customers they engage with on GDPR are still, at best, early in their cycle of thinking about what the regulation means to them, quantifying the risks they’re taking, and determining what they need to do first in order to be on the right side of it by May this year.
That’s going to take a fair bit of effort for many organisations (especially those with a poor grasp of their data inventory, and without the process building blocks to handle enquiries and a data literate culture that can embed GDPR-compliant thinking into the way in which personal data is used to drive the business). It’s not as simple as adhering to a specification of standards. GDPR is a legal regulation containing a number of ‘articles’ that set out how personal data (and the individuals whose data it is) should be treated; it’s the data processor’s responsibility to work out what that means to them, and the way in which they operate.
However, let’s assume that you are able to make a good fist of your GDPR compliance efforts over the next 4½ months or so – to the extent, at least, that you either have already (or can demonstrate to any auditor that you have clear procedures in place to assure that you’re well enough on your way towards) being able to identify GDPR-relevant structured and unstructured data, you can manage it appropriately, and have processes to deal with individuals’ requests. After all, there are frameworks, tools, and advice available now from a number of content and process vendors (many of whom – such as Alfresco, Box, Egnyte – we’ll be revisiting with updated coverage early in 2018) that can assist you here… if not actually provide a tailored ‘solution’.
The thing is, this is only part of the puzzle. It’ll get you over the line on May 25th, and it’s something you can build on… but it won’t – on its own – lift you into the higher plane of data literacy you’ll need to inhabit if you’re going to be able to ride a ‘second wave’ of GDPR-related action.
And that means being able to incorporate GDPR-compliant elements into longer term digital strategies, automated controls, processes, design models, etc. in order to build a level of operational assistance. Becoming a GDPR-compliant business brings good data governance practice, and such governance competencies will become an essential part of being able to trade on your digital ethics and the ‘transparency premium’ (which Neil Ward-Dutton and I discussed in a recent podcast on How digital technology changes work) as the temptations of machine learning become too irresistible to ignore… in the drive towards ever more extreme personalisation and convenience.
Every organisation needs to be compliant with the articles that describe GDPR’s stipulations; the more forward-thinking ones will take the opportunity to leverage GDPR’s principles and mould them into data governance practices that help them do more with their content and data (and do so in a demonstrably more responsible way).
That’s going to take tools, talent, creative thought, and critical analysis of how the changing data processing landscape could evolve – and your place in it.
Are you ready?