What is GDPR?
GDPR or General Data Protection Regulation is a set of rules governing the use of personal data. It goes into effect on May 25th, 2018.
In the EU, GDPR replaces a multitude of laws, from the existing 1995 Data Protection Directive, with one comprehensive regulation, but it should be seen in the context of developments in Consumer Privacy Laws, most famously the Right to be Forgotten [1]. As more and more business models rely on consumer data, the ethics of how it is being used and who has access to it becomes ever more important. GDPR is the latest attempt to harmonize the data privacy protections with the priorities of businesses and existing modes of operation. You can find out more about it and its provisions here [2].
Big players with data-centered business models like Google have already begun readying their offerings like GSuite and Google Cloud [3]. That said, you do not need to be a data-hungry powerhouse or an EU-registered company as the regulation extends to any PII (personally identifiable information), employee data and consumer data alike, and applies to any company (US companies included) that handles data of EU subjects [4].
What is Data Strategy
Data strategy helps organizations most effectively manage their data and derive insights from it. It touches all aspects of how organizations make use of their data – from how it gets generated, stored, transmitted, processed, accessed, and erased/pushed into long term ‘cold’ storage, to how it is secured. Data strategy covers both the process and the technology behind implementing it and has far-reaching implications for security, privacy, and compliance.
For companies with good data strategy, growth in data volume translates into growth in value derived out of it, whereas for companies without one, growth in data volume comes with growth in risk and exposure, fragmentation of company units’ data and processes, and a taxed IT department.
How the Two Go Together
Understanding how data flows through your organization
GDPR embraces the Privacy by Default approach. In practice, this means that data systems need to be designed with integrated mechanisms for ensuring data privacy and security, as well as an ability to monitor how they are enforced – a non-trivial task, given the complexity of present day deployments. It requires a careful understanding of organizational data flows – a crucial piece in a data strategy roadmap.
Data use monitoring and incident response:
Tools like SIEM (Security Information and Event Management) together with software to monitor data use are the pillars of compliance and security for any organization handling data. They can be applied equally well for the purposes of consumer privacy and trade secret protection.
In the event of a data breach, GDPR has provisions in place for how the users are to be notified. In addition to early detection, there needs to be a clear understanding of which systems are affected and the appropriate individual to be notified.
Right to be Forgotten:
Data retention policies are another key piece of a functioning data strategy and have both technical and legal facets. Increasingly, data privacy compliance means being able to provide information on what data exactly exists about a given individual, as well as comply with erasure requests, both of which require a clear understanding of organizational data that comes with, you guessed it, data strategy.
Have questions about how GDPR may affect your organization, how data strategy can help, or simply want to learn where to begin? Reach out to us at hello@pandata.co.
Links
[1] http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf
[2] https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
[3]https://www.blog.google/topics/google-cloud/google-cloud-our-commitment-general-data-protection-regulation-gdpr/
[4]http://www.computerweekly.com/news/450296306/10-key-facts-businesses-need-to-note-about-the-GDPR