The first service of a GDPR notice – to analytics firm AggregateIQ for its controversial use of voter data – reinforced the severity and significance of GDPR for organizations worldwide. Though the May 25, 2018 deadline for compliance may initially have been treated as a one-off, box-ticking exercise, the reality is that GDPR brings heightened, long-term scrutiny to the way in which organizations collect, use, and store data.
The purpose of GDPR is to protect personal privacy rights by providing greater transparency into the way that personal data is used. As a consequence, full GDPR compliance means being able to answer questions such as, is personal data being used, who owns it, where can it be found, what does it mean, why it is being stored, and is it trustworthy? The inability to answer any of these questions creates real risk to businesses of harsh penalties and reputational damage, not to mention the lost opportunity of not using an organization’s data to its fullest potential.
In order to answer the questions raised by GDRP compliance, organizations must have a 360-degree view of their data. Strong governance that applies comprehensive policies to the management and organization of data is a prerequisite.
Rise of the CDO
Six months after the much-discussed May deadline, organizations are still failing to realize the true power of a data-centric approach, whether for ensuring compliance or operational efficiency. According to a survey from Imperva, less than 50% of businesses are highly confident they would pass a GDPR audit. While, according to a Fellowes study announced in October 2018 of more than 1,000 UK workers, found that 20% still have not been given any GDPR policies by their company. Another 54% of respondents in this study had seen personal and / or confidential data they should not have seen under GDPR.
These troubling figures demonstrate that despite the momentum of initial compliance investments made to meet the GDPR deadline, efforts have largely consisted of hasty ‘band-aid’ solutions with little regard for long-term sustainability and change in corporate culture. There is a glaring need for organizations to implement — and maintain — concrete data processing policies and systems. There is no person positioned better to achieve this than the Chief Data Officer (CDO), who helps the enterprise manage its data effectively. Armed with expert knowledge of data governance and processes, CDOs have the ability to make significant steps towards long-term GDPR compliance.
A CDO’s unique ability to help organizations overcome compliance challenges without disrupting business as usual also means they should have a seat at the table in boardroom discussions. By elevating their role, CDOs can obtain not only the senior buy-in they need — indeed this a pre-requisite for GDPR compliance — but also leverage their authority to catalyze a cultural shift towards data-centricity within their organization. In the modern business landscape where governed data is an asset, CDOs also serve as business strategists.
Equipped with advanced technology, an analytical mindset, and innate attention to detail, CDOs are capable of identifying the value of data within an organization and ethically leveraging that data to implement strategic data-led changes within an organization. The role is necessarily far-reaching, making the CDO an asset to any organization. For example, by enabling better data analytics, CDOs can identify growth opportunities in sales and revenue, facilitate cost savings in operations, and maximize customer relationships.
Data governance: a GDPR solution and business enabler
So how can CDOs begin to sift through the data within an organization to make sure the organization is compliant both now and in the future and, perhaps even more importantly, to use data to reveal business growth possibilities and industry-impacting strategies? The answer lies in data governance and an offense-defense balancing act. On one hand, CDOs have to play defense to meet regulatory obligations like GDPR. On the other, CDOs must take the offense as well: using data to inform business decisions and drive new growth opportunities. Data governance is a necessary part of each approach since both require full visibility into the origin, format, lineage, and quality of data.
The priority for implementing a clear data governance strategy is conducting a data maturity assessment, which will help a CDO identify the areas that need to be improved. In the case of GDPR, knowing just how far from compliance a company is when they start will help them know which strategies and steps they need to prioritize going forward. This involves evaluating the state of various elements within the organization, such as:
- The leadership team’s attitudes towards data
- The strength of existing data policies
- The level of exposure to security or legal risks, and the sophistication of its underlying technological infrastructure
A data maturity assessment is a critical step to launching any governance initiative; CDOs will not know if their efforts are aligned with an organization’s business priorities — or which areas to improve — if they are unaware of their starting point.
A long-term situation
Once a data maturity assessment has been made, CDOs can begin building the right tools and processes to govern enterprise data. However, with the volume and variety of enterprise data continuing to multiply at an exponential rate, it is important for CDOs to implement a governance strategy that can maximize the reach of its data assets while staying compliant.
In order to achieve this, businesses need both a macro and micro mindset. They need to gain maximum visibility into how data is used at every level in the organization while also understanding, for example, that updating metadata in real-time will improve its reliability and trustworthiness. A unifying language, like data cataloging, also improves the accessibility of data across the board, allowing all business units to easily navigate a single source of intelligence. This approach of thinking of the big picture, while also keeping an eye on the micro processes, will help CDOs build a long-term GDPR-compliant data strategy.
GDPR compliance and data governance are inextricably linked; GDPR compliance cannot be achieved without strong governance. This not only requires procedural and micro strategies, but an overall cultural mindset of a data centric approach, which the CDO is primed to lead. Keeping both sides of the governance coin in check is where the CDO can drive real value for an organization, ensuring all elements of GDPR compliance are governed, avoiding regulatory violations, and propelling his or her organization to success.