GDPR and The Data Governance Imperative

Digital data pervades virtually every aspect of our lives. IDC estimates that by 2025 digital data will grow to 163 zettabytes, 80% of which will be created by businesses. From autonomous cars, robotic process automation, intelligent personal assistants to smart home devices, the world around us is undergoing a fundamental change, transforming the way we live, work, and play.

The Changing Nature of Personally Identifiable Information

The confluence of big data, cloud computing, social media, mobile devices collect and aggregate diverse data sets, which taken together, such as internet search habits and GPS tracking information may expose personally identifiable information.

There is an even more vexing challenge — data analytics — powerful algorithms that cut through vast amounts of data. Predictive analytics is fundamentally changing the definition of data. It consists of not only consent based data collected from data subjects but also extends to observed data, for example, video data from surveillance sensors and inferred data, aggregated from diverse data sets that creates a digital fingerprint of data subject sentiments, preferences and behaviors. Increasing use of machine learning technologies is also generating vast amounts of data about individuals without their knowledge let alone affirmative consent, as required by GDPR.

The GDPR Accountability Principle

The General Data Protection Regulation considerably strengthens the accountability principle which requires organizations to institute “appropriate technical and organizational measures” to safeguard privacy rights, maintain a record of processing activities and have in place adequate internal controls to demonstrate compliance if requested by supervisory authorities. Compliance with the accountability principle implies having better visibility to the data, how it is collected and processed and the steps taken to minimize the amount of personal information collected.

The Information Governance Imperative

It is then not surprising that a recently published survey found that 64% of organizations are planning to overhaul their business processes given GDPRs onerous enforcement mechanisms, fines and penalties. However, 47% of the same survey participants do not have a clear understanding of how to prioritize their compliance initiatives.

So where do you begin your governance journey?

A useful starting point is to consider a unified information governance strategy based on the over-arching principle that safeguarding privacy rights is not just about risk mitigation but also an opportunity to strengthen corporate brand and foster enduring customer loyalty.

A holistic information governance strategy demands cross functional participation from the business leadership. A potentially useful governance framework is the IGRM reference model. This model provides a framework for aligning the key business functions so that:

• The business may leverage data as a competitive asset;
• IT may improve operational efficiencies in the management of data; and
• Legal may mitigate compliance risk and proactively adhere to regulatory requirements.

This article is an abridged version of Andrew Pery’s article on “GDPR and The Data Governance Imperative,” published in AIIM.org. To read the full-length version, please visit: https://info.aiim.org/digital-landfill/gdpr-and-the-data-governance-imperative.