Who’s afraid of the big bad GDPR?
The General Data Protection Regulation, or GDPR. Four letters that may be striking fear into the heart of your organisation. Why?
- Yes, the potential fines are scary (up to 4% of global turnover)…
- Yes, there are significant unknowns…
- Yes, it is potentially a massive change of mindset…
But what is it actually requiring organisations to do?
Let’s take a step back and make three assumptions. First, organisations utilise their assets to meet their objectives. A car manufacturer profits from selling its cars; a charity delivers emergency supplies in response to a disaster etc etc. Nothing controversial so far… Second, that there is value in at least some of the personal data retained by organisations such that this data is an asset. If not, we could simply delete it all now given the level of potential fine! Third, that the retention of every piece of data has a cost to the organisation. This cost goes beyond simple storage. Costs are also incurred as valuable connections are obscured by unreliable, disjointed, duplicate, and historic data. The opportunities represented by these connections are either far more difficult to identify, or, worse, are missed completely, and could become compliance risks – in both cases, a trigger is required to bring them into focus.
To take the manufacturing analogy drawn by my colleague Alex in his blog post, value-add cost is incurred every time new data transformations are created or new tools purchased. Similarly, if the need for new tools or new data transformations is not appreciated, there are costs in the form of efficiency losses. However, if you never knew that production line machinery that was 20% more efficient had become available, these losses would not be identified until a supervening event happens, such as existing tooling breaking down. However, such supervening events by their nature are urgent and do not lend themselves to a measured evaluation of alternatives – the production line is losing money every second it is down! Similarly, an organisation about to be hit with a fine for non-compliance will not be looking more widely at its data…
If the physical supply chain for a production line delivered late only duplicate components for historical products it would be declared not fit for purpose and changed. However, all too often this is simply accepted as the state of the data ‘supply chain’ because the full extent of the costs it incurs can be difficult to quantify across multiple business functions. It would be a rare organisation that could not identify an example where it’s data supply chain suffers from some or all of the issues already identified and laments how much more it could be doing with its data.So how does this relate to the GDPR?
At the risk of oversimplification, the starting point for obligations under the GDPR is that organisations need to be able to prove that they know what data they are taking care of on behalf of data subjects, and that they know what they are allowed to do with that data.
If you know exactly what data you have and what you are allowed to do with it, then that’s the starting point for rationalising your data supply chain and realising its true potential by clearing away the murk around all of the valuable connections that have always been there, just never appreciated. However, getting to this point will require overcoming the inertia of engaging every business function that touches that data – often the sticking point for implementing this sort of change even if the true costs above have been evaluated. The difference this time is that you are required to do it as a starting point to comply with the GDPR.
So the GDPR requires organisations to take knowledge of their data to a specified level. Organisations want to take knowledge of their data to that level and beyond to optimise the asset that is that data, but struggle to get such projects off the ground. That sounds like an opportunity to me… Let the need to comply with GDPR serve as the driver to wrestle your data under control and optimise the value that can be derived from it as a strategic asset. So, who’s afraid of the big bad GDPR? Not me!
Every journey starts with a first step, often the most difficult. Discovering all of the data in your organisation is no different. At Entity Group, we have been successfully helping customers around the world of all sizes take this first step and beyond for decades by using our proven methodology.
You can read more about this approach in our book: Crossing the Data Delta. Alternatively, why not book a FREE data strategy planning session with one of our consultants to find out how we can help you take the first step on this journey too?