The EU's General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. European companies are expected to spend an average of €1.3 million ($1.4 million) on ensuring compliance, while U.S. businesses are setting aside at least $1 million. Rightly so: Failure to meet GDPR regulatory standards could cost organizations increased legal fees, or even more in noncompliance fines. Too great a focus on the important but narrow security requirements, however, obscures the opportunities of GDPR.
Data and analytics leaders should increase awareness of how better business outcomes can arise from changing how their organization handles personal data
"A panicked response to GDPR, which focuses almost exclusively on data protection and security requirements, distorts an organization's data and analytics program and strategy," says Lydia Clougherty Jones, research director at Gartner. "Don’t lose sight of the fact that implementing GDPR consent requirements is an opportunity for an organization to acquire flexible rights to use and share data while maximizing business value."
If data and analytics leaders involve themselves in the right way, they can use GDPR to enable new use for this data, as well as greater access to it, while increasing trust between their organization and data subjects. All of these points can drive an increase in data value and competitive advantage.
The first step is to enlist legal support. Data and analytics leaders should then focus on increasing awareness of how better business outcomes can arise from changing how their organization handles personal data. Clougherty Jones shares three ways to do this.
Advocate for a mandate to drive value within the data protection officer (DPO) role
The DPO role is required by GDPR under certain circumstances. How the role is defined will have a big impact on the extent to which data usage leads to business value. Typically, DPOs will be hired from a data protection or risk mitigation background, and their primary focus will be compliance.
This focus is unlikely to align well with the business goal of treating data as a value-generating asset. Therefore, data and analytics leaders need to create a dialogue with executive leaders to create awareness of how GDPR compliance can foster increased business value and competitive advantage, provided they are given the opportunity to participate in the hiring and training of a DPO.
Map GDPR consent to your organization's data strategy
GDPR consent requirements are heightened obligations compared to other data protection regulations that require only a "good faith effort" to obtain some form of consent (depending on the circumstances). While consent requirements could be seen as a hindrance to deriving value from data, this is not a constructive perspective to adopt.
The consent obtained should allow flexible uses and expansive sharing
In fact, misconceptions around data privacy, within the organization or on the part of the data subject, often needlessly constrain innovative use cases. GDPR consent requirements present an opportunity to increase transparency and trust by educating internal and external stakeholders, leadership, employees and customers on privacy requirements.
The consent obtained should allow flexible uses and expansive sharing, but still be specific enough to meet GDPR requirements. Handled effectively, there is great potential to obtain consent to increase data access, use and sharing rights — in line with the goals of a wider organizational data and analytics strategy. This can lead to competitive advantage, while also helping to achieve compliance in other countries and regions.
Establish new information governance protocols
Gartner recommends that organizations use the momentum around GDPR to upgrade their information governance framework. Currently, most organizations use a "truth-based" model that seeks absolute control of various data attributes such as quality, consistency and completeness.
Under GDPR, not all data requires the same level of governance; the use cases can define the differentiation.
Gartner predicts, however, that by 2019, 75% of analytics deployments will incorporate 10 or more exogenous data sources from second- or third-party sources.
In this new digital reality, the cost and effort needed to make all these sources conform to a truth-based model is not sustainable; governance programs do, and will continue to, get bogged down in attempting to achieve this.
Under GDPR, not all data requires the same level of governance; the use cases can define the differentiation. This favors a trust-based approach to governance, where the most critical and most commonly referenced data is centrally controlled and less critical data with single use cases can be governed more loosely.
This approach will enable greater flexibility and agility in accessing data. It will also increase the possibilities for as-yet-unknown uses of data — all while maintaining compliance with GDPR requirements.