Why GDPR and Data Governance go hand in hand
Like G&T, data governance is not a new concept. It has been recognised for years as a method of protecting the business, mitigating risk, increasing operational efficiencies and managing customer relationships. In essence, a robust data governance programme ensures the right foundations are in place to empower your teams to make the most of personal data assets in a safe and secure way.
At its heart GDPR oozes data governance, requiring organisations to have in disciplined, transparent and accountable ways when they process personal data.
What is data governance?
Data governance is a holistic approach to data privacy and security, addressing all aspects of data management from data accuracy through to compliance. It’s essentially a set of management practices which ensure that data is used and protected properly, according to the law and best practices.
To coin the often used phrase “data is the new oil”, your data is one of your most valuable business assets. To make it work profitably for your business, you need to understand it fully and take responsibility for it. With an effective data governance programme you can embed a Privacy by Design and by Default across the organisation. A fundamental part is the assessment of data assets used by the business and understanding how that data is being gathered, stored, used and shared.
This should include risk assessment processes to discover, assess, prioritise and take action to mitigate compliance risks. A governance programme should ensure your teams are able to identify both existing and emerging risks, so they can be efficiently assessed and mitigated.
Think of data like a balance sheet: it has great potential to create value but also carries risks and liabilities. When establishing a data governance programme we are trying to protect both the business and those whose data we process from harm which may arise from things like inaccurate data, unlawful or unfair processing or processing personal data in ways the individuals would not expect. Put simply, data governance sets out your rules of engagement. For example, creating policies to guide those who process the data and training them so they know what to do and how to recognise & avoid the pitfalls.
An effective data governance programme also takes into account roles and responsibilities; clarifying who has the authority to make decisions and regulates accountability for actions taken. Data governance can enable you to;
- protect the business and those whose data you process: customers, employees, etc
- educate your people: provide policy & guidance them on how to use data in the safe and appropriate ways
- build in an ethical approach in addition to what the law requires
- build your reputation and customer trust
- enhance the value of your data assets
- support innovation
We must win hearts and minds
Data protection and privacy professionals face a cultural challenge to win hearts and minds. I have sometimes heard Legal or Privacy teams described as ‘The department of no’, i.e. seen as putting obstacles in the way of innovative ideas and strategies with data. That’s not how we want to be seen. We should help our business colleagues to balance the needs of commercial and operational functions with the legal requirements. We need to go a step further than explaining the law – we must help them to find pragmatic solutions. Collaboration and mutual understanding are essential ingredients for successful data governance.
Forward-thinking organisations have and are recognising that good governance can build customer trust. Strong privacy and transparency credentials can be a real brand asset. Business objectives can be met without taking unnecessary compliance risks when we work together.
Simon Blanchard, DPN Deputy Chair & Senior Associate at data protection consultancy, Opt-4
20 March 2019
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.