- Kingland Platform
The EU Global Data Protection Regulation (GDPR) was one of the most discussed topics at a recent financial services data conference (FIMA) in London. The discussions mirrored a recent poll that cited more than 60 percent of respondents were either in the planning stage or hadn't started preparing for GDPR as of October 2016. The reason the GDPR is such a high-profile conversation and concern is because of its impact. Like some other regulations before it, such as BCBS 239, or Solvency II, GDPR requires a significant change in how we think about and execute management of data. Not just management of data in the EU, but globally.
A Quick Review of GDPR
The GDPR is a regulation passed by the European Parliament and Council of the European Union in April 2016 that becomes effective in May 2018. It is a replacement of the Directive 95/46/EC that was passed in 1995. For context, the GDPR is 88 pages, replacing the 20 page Directive 94/46/EC. The overarching objective of the GDPR is to ensure protection of the personal data of persons that reside in the EU. While a person may reside in the EU physically, the data about that person is quite portable, which is where the challenge begins. As the name implies, GDPR is global in nature in that it regulates how personal data from those persons must be managed, regardless of the location of the data. In fact, it regulates the authorized transmission and location of processing of the data as well. From Chief Data Officers to Chief Information Officers and the information security professionals, operations managers, and compliance officers in between - GDPR is impacting the priorities and considerations of many leaders and professionals.
Meeting GDPR Expectations
I have long said that data management programs should be viewed as an umbrella set of governance activities to ensure that the data can be trusted and fit for purpose. Sounds simple on the surface. Many people focus on the definitive and quality aspects to meet that objective, but if we dissect “trusted and fit for purpose” a bit, and look at it through an information assurance lens, we find that it encompasses much more. For the rest of this blog, consider that information assurance (IA) refers to data availability, integrity, authentication, confidentiality, and non-repudiation. Those things are also required to ensure data is trusted and fit for purpose.
Personally, I always include conversations about information assurance and data security when talking with clients about their data management programs and governance. These conversations, which should be commonplace, ensure that a large enterprise has a foundation to meet the requirements of the GDPR.
With the definition of IA above, and understanding what the GDPR governs, let’s look at a specific example of how a mature data management program helps us ensure we are meeting some specific expectations of the GDPR. Even if you don’t manage any personal data from the EU, you should read on. The principles that underlay the GDPR-specific examples are still germane to you.
Over the last couple of years, many organizations are leveraging one of the two data management models (DCAM or DMM) to help guide their data management program implementation and on-going governance. I know many leaders that have leveraged these industry-accepted models to meet other regulatory requirements dealing with data. (If you are not, you owe it to yourself to explore this further.) The relationship between what these two models provide, and what these various regulations require is no different for the GDPR. Let’s look at one specific requirement from the GDPR.
The GDPR establishes a requirement that data is purged by design and default. Specifically, Article 5(e) requires that data is purged when no longer needed for the purpose for which it was collected, and Article 25.2 requires that such purge occurs by design and default. (These two articles are actually broader than simply stated above, but let’s focus on this one example.) So, our requirements here are to:
There are a myriad of ways that the DMM and DCAM can help you ensure that your data management program encompasses these requirements, but I’ll point out just a couple.
DMM functional Practice 3.4 from the Data Requirements Definition process states “Data requirements comply with and include compliance for both physical and logical data, including security rules as well as technical requirements.” There is a substantial elaboration in the model that provides a broader explanation of this expectation, but in short, it's pretty clear that if we are engaged with all the appropriate stakeholders and execute as this practice says, we would naturally have a governance process that would ensure we are meeting the requirements described above from the GDPR.
Likewise, one of the DCAM Capabilities, 4.6, states that “Technology governance is Aligned.” Here again, the model has additional sub-capabilities and objectives that provide additional guidance and elaboration, but the key is that there is an explicit expectation established in the model to ensure that the implementation of our technology is in alignment with our data management requirements, policies and standards.
As I mentioned, there are a number of other functional practices and capabilities within the DMM and DCAM models that, if followed, help ensure a foundation to meet any number of regulatory requirements. The key is to recognize that effective data management must consider all aspects of IA to ensure that the data is fit for purpose and can be trusted. If we operate under that broader understanding, and leverage these models, then the GDPR or any other new regulation around data should be something that is met by our foundational program or taken in stride.
Visit our website to learn more about the DMM or DCAM models.