Organisations spent an enormous amount of time, money and resource to achieve GDPR compliance in time for the May 2018 deadline.
However, it is clear that preparing to meet the regulation was not a one-off project, and that remaining compliant in 2019 and beyond requires continued investment.
The investment is likely to be substantial. A November 2017 report by Sia Partners indicates that it is likely to be £15 million on average for a FTSE100 firm. Organisations in the UK have woken up to the fact that to achieve continued compliance, they must adopt a new way of life; after all, the risks of failing to be compliant are substantial. The BA data breach of 21 August to 5 September 2018 raised immediate speculation about likely future fines.
Now we have seen tech giant, Google hit with a record fine for breaching GDPR. The €50 million (£44m) fine issued by French regulator CNIL was triggered by complaints relating to how Google handled people’s data. CNIL said it had levied the fine for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.”
Up to now the focus when it came to GDPR was very much on likely penalties. It was very much about stick rather than carrot. That’s changing fast today with many organisations seeing GDPR as more of an opportunity rather than a threat. Organisations are hoping that the investment could benefit their business in a variety of ways.
ASG’s view is that businesses must continue to assess their GDPR strategy, paying particular attention to these five key areas:
1. Data governance and privacy
Businesses are still learning to extend their data governance processes to GDPR and implementing the internal processes it requires. This typically involves a number of tasks – understanding the regulation, making organisational changes, such as appointing a Data Protection Officer, modifying business practices and – above all – knowing what personal data is stored, who is using it, how and for what purposes. As manual tasks often have a greater risk of human error, it is vital organisations put the right processes in place to ensure they are performing them effectively. Manual processes will only be sustainable if organisations accept them as a corporate “must do” and create a “privacy” mindset.
2. Automation technology
Investment in automation technology is needed to enable businesses to manage costs, improve quality, consistency and react quickly to opportunities, threats and challenges. The growing volume and variety and fast-moving nature of data means that nobody is going to be able to keep track of it and govern it without automated processes. Knowing exactly where data comes from, how and why it’s used and where it goes, requires businesses to deploy technology that automates the understanding of data, identifies changes and notifies data governance teams as needed. In addition, artificial intelligence and machine learning provide capabilities that will help organisations use the growing volume of data more effectively, while also identifying and reducing compliance risk. Try as they might, they just won’t be able to achieve the same results through spreadsheets and word documents.
3. Quality over quantity
The process of identifying and culling data undertaken initially to achieve GDPR compliance should become an ongoing task as the quality of data and the ability to protect it is far more important than the quantity of that data. Organisations need to identify what data is working for them and what data is working against them to reduce the amount of data they hold. The remaining data is then likely to be more valuable and of more use to the business, while the risk from unused data is eliminated.
4. Getting a handle on data lineage
To get the most from GDPR compliance, businesses should look to get a better grasp of data lineage and what it means to their business. True data lineage is a complete understanding of the data, its transformational nature, its associations and its lifecycle across the data estate and over time. While some talk about data lineage as though it were no more than knowing how data moves from “A” to “B”, true data lineage includes application, business and technical perspectives. It understands data transformation, not just movement and associates data to business meaning and processes. It’s the critical knowledge base that data governance and regulatory compliance rely on.
5. Deriving added value
In 2019, organisations should remind themselves of the added value GDPR compliance brings with it and look at how they can use this to their advantage. Businesses should look at the bigger picture and focus on the trust that comes from well governed data so that they can build confidence in its use while also mitigating risk. This includes the potential to reduce direct costs, create efficient audit processes, manage and track the information supply chain and use insights from data to drive business decisions.
With the help of technology, businesses can create robust processes which ensure long-term GDPR compliance. A more complete and valuable understanding of data can be achieved and maintained with the help of automation. Although there is an initial investment in this technology, businesses must look at the bigger picture and the return on investment from saving both time and resource and reducing what can be costly errors. While compliance is required by law, organisations must begin to view it as an opportunity to improve their data governance processes rather than a burden.