Why GDPR and data strategy are two sides of the same coin
Crossing the GDPR data delta
At Entity Group we see GDPR as an opportunity for organisations acting in the role of data controllers and data processors to build trust with data subjects (the individuals whose data they hold) to become truly customer/citizen/employee centric.
All too often organisations do not have a holistic data strategy in place and are, therefore, in no position to take advantage of opportunities afforded by GDPR or any other regulatory obligation. The truth is that data governance and information management strategies very often get ignored because they are difficult to articulate and seem even more difficult to execute. However, we believe they are achievable with the right assistance.
We believe that the gap between the data organisations have today and the information or business advantage they want to have tomorrow can be thought of as a ‘data delta’. Achieving digital transformation can be a huge headache because this delta exists within most organisations, and yet it must be bridged if companies are to truly embrace digitalisation and survive. GDPR compliance is a specific example of a data delta that needs to be crossed and the best way to approach it is with tried and tested data management techniques.
Six core principles to cross the data delta
We have spent many years working with organisations of all sizes and sectors to help them to cross their own data deltas. This knowledge and experience has crystallised into our own method, described in our book Crossing the Data Delta which provides guidance on a host of data management challenges. Specifically, it suggests that there are six core principles which need to be in place in an organisation before it can successfully cross the data delta:
- Data must be governed and owned
- There must be an agreed description of the data
- Data quality must be defined, measured and managed
- Principles of access need to be established, addressing each aspect of the data lifecycle, storage, privacy and security
- How data is used and shared needs to be agreed as well as how systems are integrated
- The organisation needs to determine which data needs to be controlled, how and by whom, so that business applications can be successfully implemented
There is much more involved but hopefully it is clear that these data management principles all apply directly to GDPR compliance and should be a vital part of your initiative. There are a number of other approaches out there – the point is not to spend time reinventing the wheel!
- What personal data do I hold?
- Why do I hold this? (for which processing activities/purposes?)
- Do I have specific consent and have I registered any objections?
- How will I continue to monitor and action consents and objections?
- Am I upholding the rights of the data subject?
The importance of consent mastering
The ability to answer these questions is known as consent mastering. It means having a single version of the truth for all data related to an individual and the consent they have given to use it. For compliance purposes this must be continually updated and available to any approved consuming system. Ironically, given that part of a GDPR compliance initiative is a data management activity, consent mastering does require organisations to identify, collect and hold even more data! Also, as with any other kind of mastering, this is an iterative process not a one-off activity and therefore it is not merely answered by a technology implementation. To truly address it organisations will need to look at the three core areas of process, people and technology right across the organisational landscape. This is an integral part of having a defined strategy for information management and a strong grip on data governance.
No matter what your data management project is, a good, pre-defined data model can really get your project off to a flying start. For a GDPR initiative it could act as an accelerator you can use to map your organisation’s data; swiftly identify the data you might need for compliance and then connect that with the data you hold on individuals. We recommend looking at items such as how to uphold the rights of data subjects (such as erasure, inquiry, objection, portability, restriction and rectification. You’ll need to understand who has ownership of the data and who is responsible for maintaining it – these are essential data governance tasks even without the pressure of GDPR compliance.
How consent mastering links to master data management
One of Entity’s specialisms is the successful delivery of master data management projects. As such, we believe that the consent mastering aspect of GDPR should be of particular interest to organisations wanting to demonstrate responsible handling of customer/employee/citizen data and build trusting, profitable customer relationships. Why? Well, because it links through and is complementary to so many aspects of the customer 360° view that is the goal of many MDM implementations. MDM could be defined as enabling you to join up information relating to the same thing (a particular customer, supplier, product etc) from across your organisation, so that you can get a single view of their interactions and transactions.
Consent is just one part of that 360° view that needs to be mastered. However, you might be struggling to show who owns data in your organisation and understand how it flows around. Equally, the ability to visualise this ownership and these flows can help to promote collaboration and buy-in which are valuable in the process of building a business case for an enterprise MDM project. There are technologies available to help with that part of the process and many other related technical capabilities can play a part in the process such as data integration, data quality, data cataloguing, data security, data lakes – the list goes on. Therefore a platform approach from a technology perspective – where the individual components can be used stand-alone or as part of an integrated whole – can be extremely useful. An example of a platform for data governance is below.
How Entity can help you
So how to get started? You need an action plan – a roadmap. this is a topic that we covered in our recent GDPR consent mastering webinar (watch the recording here). We’d love to talk to you in more detail about GDPR or any of the unique data management challenges you face, and share some more of our experience with you to help you cross your own data delta. Whatever you decide to do though please take a broader data management approach so that dealing with GDPR compliance can be the beginning of an effective data management journey for your organisation or an improvement to the one upon which you have already embarked. Safe travels!