start of a race
PHOTO: Brandon Wong

May 25, 2018 is right around the corner. 

For beleaguered residents of the U.S. Ohio River valley region like me, late May is when we usher in summer and its welcome respite from this winter’s whipsawing cycles of ice, snow, rain and flooding. 

For companies in the crosshairs of the European Union’s General Data Protection Regulation (GDPR), May 25 is the date on which EU regulators will expect full compliance with the new regulation, which requires comprehensive data protections as well as clarity and transparency on how personal information is being collected and used. 

Relief on the one hand, anxiety on the other.

Fortunately, many companies have a resource ready to assist them with compliance — their data governance organizations. While some GDPR requirements, such as obtaining individuals’ consent for solicitation and data collection and use, fall primarily on the business units themselves, many others sit squarely in the data governance and data management wheelhouse. 

In a CMSWire column last summer, I nudged marketers to make data governance their best friend, but the reality is every business unit that deals with customer information should be looking to their companies’ data governance organizations for help with GDPR. These business units include digital transformation teams, customer experience and customer service organizations, customer analytics groups, and credit, risk and fraud units.

Related Article: How Marketers Can Prepare for the GDPR

Data Governance Defined

To fully understand how data governance and data management can assist with GDPR compliance let’s first look at what they entail.

In their book “Customer Data Integration,” Jill Dyché and Evan Levy coined what I consider to be the gold standard definition for data governance: “the organizing framework for establishing strategy, objectives, and policies for corporate data.” Data governance programs that follow the tenets set out in this definition will establish business stakeholders as information owners and position enterprise data issues as cross-functional — both of which are steps that are critical under GDPR.

Equally important is data management, the operational complement to data governance. Data management teams develop and implement the detailed block-and-tackle processes needed to carry out governance-defined corporate data policies. Primary focus areas typically include data discovery, metadata management, data quality and data architecture — again, all critical to GDPR.

Related Article: Good Data Governance in the Platform Age

Governance and the GDPR

Here is a look at three GDPR requirements, with explanations of how data governance organizations can help their companies fulfill those requirements.

GDPR requirement: Establish data ownership and accountability

In some cases, the GDPR requires companies to appoint a specific employee, perhaps with the title of data protection officer (DPO), to ensure accountability for all aspects of compliance. Some companies will hire specifically for this role while others will assign the responsibility for GDPR compliance to someone in an existing position, such as the chief data officer (CDO).

Governance action: Customer data lives in many systems and applications across a company, necessitating the need for a holistic cross-organizational approach to all aspects of GDPR compliance. Governance groups have always dealt with cross-organizational issues. In fact, two key responsibilities of these groups are to establish business ownership and accountability for data and to establish cross-functional mechanisms for dealing with enterprise data issues.

Most data governance programs ask business data owners to appoint data stewards who in turn become the go-to individuals for making decisions on quality rules, definitions and access rights. These individuals monitor the data under their stewardship, they serve as the liaisons between IT and the business, and they escalate data issues to the business owners and data governance committees. The cross-functional nature of data governance organizations, with their business data owners, data stewards, data escalation processes, and clearly defined roles and responsibilities around data, makes them the ideal organization to take on many aspects of GDPR compliance. If a company has a CDO, chances are that this person is already responsible for, or is at least intimately involved with, data governance. If a DPO has been appointed, he or she would be smart to join forces with existing governance groups early in the planning process.

Ensuring that the types of customer data covered by the GDPR are incorporated into the governance process (and thus have identified business owners and data stewards) is a must.

GDPR requirement: Conduct a data protection impact assessment

Under the GDPR, companies will be required to conduct an initial audit of processes that use data covered by the new law. This audit should specify the information collected and used, assess the degree to which these processes conform with GDPR principles (for example, determine whether the data collected is needed for a specified purpose and if the processes are in keeping with the stated purpose), assess risk, and document processes and compliance efforts. These audits will have to be periodically refreshed to ensure continued compliance.

Governance action: The business data owners and data stewards will be critical participants in this aspect of GDPR compliance. They have the knowledge and business contacts to identify, classify and document all of the data collected and stored that falls under the auspices of the GDPR.

The audit will need to include both structured and unstructured data. Questions to ask include the following: Who owns the data? What are the retention periods (and is the data ever deleted)? And, where does the data reside (specifically, which systems house the data and is the data is on premises, in the cloud or held by a third party)?

The data stewards may need the help of the IT team and the people responsible for managing third-party relationships. There are technical tools that can help with some aspects of the data discovery phase, however most technologies cannot answer questions about context, so data stewards must participate in the audit.

The next step is to identify the business processes and applications that use the audited data. Again, the governance group will be invaluable in this process, particularly because it will need to account for “shadow IT” applications that may be sitting on desktops, in departmental spreadsheets and databases, or elsewhere.

Related Article: The GDPR and Plain Language: What You Need to Do to Comply

GDPR requirement: Ensure data clarity, transparency and portability, by design 

The GDPR includes a host of rules that require that consumers have both knowledge of and control over how their data is used. Individuals can request copies of their data, demand remediation of incorrect information, or ask to have their information erased. Companies must build state-of-the-art protections into new business processes and IT systems to ensure that they are capable of meeting those requirements.

Governance action: The more technical aspects of data management are critical for meeting these requirements. Data quality processes will ensure that a company is capable of identifying and correcting data quality problems. Metadata and the associated data lineage will be essential for tracking data movements and changes, and for understanding both data definitions and usage context. In addition to identifying where data is stored, data discovery will help to determine characteristics for new data entering the company.

Data architecture will set the standards for applications and data integration that can ensure both state-of-the-art protections and privacy by design.