Putting all the ‘hoo-ha’ around the new GDPR changes aside, there is a potential for businesses to leverage this as an opportunity to create added value. The question is how? Lydia Clougherty Jones, Research Director, Gartner, weighs in…
The EU’s General Data Protection Regulation (GDPR) came into effect on 25 May 2018. European companies are expected to spend an average of €1.3 million (US$1.4 million) on ensuring compliance, while U.S. businesses are setting aside at least US$1 million. Rightly so: Failure to meet GDPR regulatory standards could cost organisations increased legal fees, or even more in noncompliance fines. Too great a focus on the important but narrow security requirements, however, obscures the opportunities of GDPR.
A panicked response to GDPR, which focuses almost exclusively on data protection and security requirements, distorts an organisation’s data and analytics program and strategy. Instead, implementing GDPR consent requirements should be viewed as an opportunity for an organisation to acquire flexible rights to use and share data while maximising business value.
If data and analytics leaders involve themselves in the right way, they can use GDPR to enable new use for this data, as well as greater access to it, while increasing trust between their organisation and data subjects. All of these points can drive an increase in data value and competitive advantage.
The first step is to enlist legal support. Data and analytics leaders should then focus on increasing awareness of how better business outcomes can arise from changing how their organisation handles personal data. There are three ways to do this:
- Advocate for a mandate to drive value within the data protection officer (DPO) role: The DPO role is required by GDPR under certain circumstances. How the role is defined will have a big impact on the extent to which data usage leads to business value. Typically, DPOs will be hired from a data protection or risk mitigation background, and their primary focus will be compliance. This focus is unlikely to align well with the business goal of treating data as a value-generating asset. Therefore, data and analytics leaders need to create a dialogue with executive leaders to create awareness of how GDPR compliance can foster increased business value and competitive advantage, provided they are given the opportunity to participate in the hiring and training of a DPO.
- Map GDPR consent to your organisation’s data strategy: GDPR consent requirements are heightened obligations compared to other data protection regulations that require only a “good faith effort” to obtain some form of consent (depending on the circumstances). While consent requirements could be seen as a hindrance to deriving value from data, this is not a constructive perspective to adopt. In fact, misconceptions around data privacy, within the organisation or on the part of the data subject, often needlessly constrain innovative use cases. GDPR consent requirements present an opportunity to increase transparency and trust by educating internal and external stakeholders, leadership, employees and customers on privacy requirements. The consent obtained should allow flexible uses and expansive sharing, but still be specific enough to meet GDPR requirements. Handled effectively, there is great potential to obtain consent to increase data access, use and sharing rights — in line with the goals of a wider organisational data and analytics strategy. This can lead to a competitive advantage, while also helping to achieve compliance in other countries and regions.
- Establish new information governance protocols: Gartner recommends that organisations use the momentum around GDPR to upgrade their information governance framework. Currently, most organisations use a “truth-based” model that seeks absolute control of various data attributes such as quality, consistency and completeness.
Gartner predicts, however, that by 2019, 75% of analytics deployments will incorporate 10 or more exogenous data sources from second- or third-party sources.
In this new digital reality, the cost and effort needed to make all these sources conform to a truth-based model are not sustainable; governance programs do and will continue to, get bogged down in attempting to achieve this. Under GDPR, not all data requires the same level of governance; the use cases can define the differentiation. This favours a trust-based approach to governance, where the most critical and most commonly referenced data is centrally controlled and less critical data with single-use cases can be governed more loosely.
This approach will enable greater flexibility and agility in accessing data. It will also increase the possibilities for as-yet-unknown uses of data — all while maintaining compliance with GDPR requirements.