How GDPR is an Opportunity to Create Business Value

Data and analytics leaders can use GDPR changes to increase the value of data.

The EU’s General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. European companies are expected to spend an average of €1.3 million ($1.4 million) on ensuring compliance, while U.S. businesses are setting aside at least $1 million. Rightly so: Failure to meet GDPR regulatory standards could cost organizations increased legal fees, or even more in noncompliance fines. Too great a focus on the important but narrow security requirements, however, obscures the opportunities of GDPR.

Data and analytics leaders should increase awareness of how better business outcomes can arise from changing how their organization handles personal data

“A panicked response to GDPR, which focuses almost exclusively on data protection and security requirements, distorts an organization’s data and analytics program and strategy,” says Lydia Clougherty Jones, research director at Gartner. “Don’t lose sight of the fact that implementing GDPR consent requirements is an opportunity for an organization to acquire flexible rights to use and share data while maximizing business value.”

If data and analytics leaders involve themselves in the right way, they can use GDPR to enable new use for this data, as well as greater access to it, while increasing trust between their organization and data subjects. All of these points can drive an increase in data value and competitive advantage.

Gartner Data & Analytics Summit

Objective insights, strategic advice and practical tools to help data and analytics leaders achieve their most critical priorities

Learn More

The first step is to enlist legal support. Data and analytics leaders should then focus on increasing awareness of how better business outcomes can arise from changing how their organization handles personal data. Clougherty Jones shares three ways to do this.

Advocate for a mandate to drive value within the data protection officer (DPO) role

The DPO role is required by GDPR under certain circumstances. How the role is defined will have a big impact on the extent to which data usage leads to business value. Typically, DPOs will be hired from a data protection or risk mitigation background, and their primary focus will be compliance.

This focus is unlikely to align well with the business goal of treating data as a value-generating asset. Therefore, data and analytics leaders need to create a dialogue with executive leaders to create awareness of how GDPR compliance can foster increased business value and competitive advantage, provided they are given the opportunity to participate in the hiring and training of a DPO.

Read more: How to Appoint a Data Protection Officer

Map GDPR consent to your organization’s data strategy

GDPR consent requirements are heightened obligations compared to other data protection regulations that require only a “good faith effort” to obtain some form of consent (depending on the circumstances). While consent requirements could be seen as a hindrance to deriving value from data, this is not a constructive perspective to adopt.

The consent obtained should allow flexible uses and expansive sharing

In fact, misconceptions around data privacy, within the organization or on the part of the data subject, often needlessly constrain innovative use cases. GDPR consent requirements present an opportunity to increase transparency and trust by educating internal and external stakeholders, leadership, employees and customers on privacy requirements.

The consent obtained should allow flexible uses and expansive sharing, but still be specific enough to meet GDPR requirements. Handled effectively, there is great potential to obtain consent to increase data access, use and sharing rights — in line with the goals of a wider organizational data and analytics strategy. This can lead to competitive advantage, while also helping to achieve compliance in other countries and regions.

Establish new information governance protocols

Gartner recommends that organizations use the momentum around GDPR to upgrade their information governance framework. Currently, most organizations use a “truth-based” model that seeks absolute control of various data attributes such as quality, consistency and completeness.

Under GDPR, not all data requires the same level of governance; the use cases can define the differentiation.

Gartner predicts, however, that by 2019, 75% of analytics deployments will incorporate 10 or more exogenous data sources from second- or third-party sources.

Read more: Treat Information as an Asset

In this new digital reality, the cost and effort needed to make all these sources conform to a truth-based model is not sustainable; governance programs do, and will continue to, get bogged down in attempting to achieve this.

Under GDPR, not all data requires the same level of governance; the use cases can define the differentiation. This favors a trust-based approach to governance, where the most critical and most commonly referenced data is centrally controlled and less critical data with single use cases can be governed more loosely.

This approach will enable greater flexibility and agility in accessing data. It will also increase the possibilities for as-yet-unknown uses of data — all while maintaining compliance with GDPR requirements.

Gartner clients can read more in How Data and Analytics Leaders Can Leverage GDPR for Increased Business Value by Lydia Clougherty Jones et al.

Get Smarter

Follow #Gartner

Attend a Gartner event

Explore Gartner Conferences

Gartner IT Roadmap for Cybersecurity: A Resilient Strategy

Gartner IT roadmap for cybersecurity based on unbiased research and...

Learn More


Get actionable advice in 60 minutes from the world's most respected experts. Keep pace with the latest issues that impact business.

Start Watching