In the second part of our guide to the GDPR and the advantages of RegTech, we have looked at aspect of the data subject rights as defined by the new rules. In the third and last part, we will look at the obligations for organizations and tell you about the challenges but also explain the opportunities for an institution.
Organizations’ obligation – The challenge
Software may not be the answer to all questions, but it will help organizations to follow their obligations. It is obvious that in times of mass data processing an efficient management of the requirements cannot be met without the support by information technology.
Proof of compliance
Organizations actively have to prove compliance with GDPR. In that they have to demonstrate their ability to manage data protection and have to show that they can fulfil data subjects’ rights as a standard operational task.
Processes have to be implemented whose effectiveness is comprehensibly verified. Data management and good data governance will become a core capability to every company. There is a strong relationship among those compliance frameworks like data protection and information security (and IT security).
Tasks of the data protection officer
The Data Protection Officer (DPO) no longer has only the duty to provide advice on matters of data protection, but must now actively monitor compliance with the GDPR and related rules and regulation. To underline the magnitude of the task, consider that not just the regulation itself is the basis for these duties but other acts as well such as the work of the Article 29 Working Party, which has provided a number of documents and guidelines with quasi-binding effect. Thus, companies have to build structures, which allow the DPO to fulfil his/her now widened duties.
The GDPR specifies a minimal set of duties for the DPO:
- Information and consultancy
- Supervision of company’s compliance to GDPR
- Supervision of data protection strategies
- Assessment of data protection consequences
- Cooperation with supervisory authorities
- Risk assessment
Data governance Compliance with GDPR comes along with the requirement of designated responsibilities, functions and allocated budget for data protection. Hence organizations are asked to implement a wide range of measures to comply with the GDPR. Some of those are:
- Data protection by design and default
- Protection impact analysis
- Regular audits and assessments
- Data Protection Officer
- Record of processing activities
- Training and awareness program
If a breach of personal data has been discovered companies have to notify the authorities without undue delay, latest within 72 hours. If those data are classified as ‘high risk’ also the data subject has to be notified.
It is obvious that companies should have the right procedures at hand to detect, report and investigate data breaches. This might be a good idea for any sensitive data. In case companies fail to report such data breaches they will face significant administrative fines as well as fines for the damage caused.
Companies have to prove compliance with the GDPR. This goes beyond Technical and Organizational Measures. Obligatory documentation requirements apply to all procedures dealing with personal data independent from an external access. It is highly probable that additional documentation requirements will be imposed.
It is no longer an adequate data management style to ‘store and to forget as long as it is secure.’ Companies have to take care of personal data. As soon as data are no longer necessary, delete them — permanently. If the environment changes take care that data are treated in compliance with GDPR. Environment in this context might mean a change of processes, data themselves, regulatory requirements, or even a change in semantic meaning.
GDPR only differentiates between processors and joint controllers. Therefore, the outsourcing of functions seems to be still possible but all parties are made accountable in case of a compliance breach. The data controller as the first service provider to the data subject especially is accountable.
Organizations’ obligation – The solution
So much for the challenges, but how should you tackle them? As outlined already before, we believe it is important to address this to achieve a) compliance with the regulatory requirements, but also b) create additional value. eccenca’s solution based on its Corporate Memory platform, for instance, supports the aspects in terms organizations’ obligation by providing a full map of granular metadata per data subject. This map can be browsed and searched from any perspective to help resolving the new tasks that organizations face.
The map includes the links and pointers to the systems that actually manage the data and show how things are connected, what they are used for (purposes), which are the underlying legal bases and who is data controller and data processor. Understanding the personal data landscape within a company’s data processing fabric is key to demonstrate the capabilities requested.
The value added through this approach comes in many forms: it builds trust and transparency to the supervisory authorities. It creates transparency on the data protection risk situation and can serve as a nucleus to improved data governance beyond personal data. Firms achieve higher ability to manage data protection and the response time to audit requests is easier to manage.
In financial terms, the value added comes in the form of faster, cheaper and more reliable processing of SARs lower data processing costs, lower costs of risk.
From an internal perspective GDPR can serve as a wake up call to good data governance practise beyond the scope of personal data. The internal project can be designed to resolve a much broader scope of issues than only personal data management. The regulation asks controllers and processors to know what they do and what they have in terms of data. This is a valuable good practice that can improve the agility of organizations on all levels. Markets change faster than ever. Being able to adapt requires a critical level of introspective capabilities. If a company wants to change processes, it needs to change systems and related data, too. The better data governance and in turn data management are in shape, the higher the probability to successfully manage the general digitalization challenge that all sectors currently face.
From an external perspective demonstrating good personal data management is ever more important to win and keep the trust of customers. With GDPR the sensitivity to good data protection will keep growing on the consumer side. Companies that fail to address this aspect will sooner than later notice that their customers were given a powerful stick to beat back, they never had before. On the other hand, companies that demonstrate that they actively care for data protection will see a competitive advantage, because data protection will be perceived as important by a growing segment of their target groups.
The General Data Protection Regulation puts the rights of the data subject in its core of requirements addressed to data controllers and data processors. Data controllers and data processors are made accountable to care for personal data. It is obligatory to companies to know each and every step of data’s lifecycle and the impact of daily business on data management. Now that companies also have to prove being compliant with the new rules, it is paramount that they know which data management process is affected by which specific GDPR articles.
Our RegTech example, eccenca’s Corporate Memory, supports key functions of personal data management by operating a comprehensive framework which relates data to procedures, systems, and regulation. Semantic technology helps to significantly reduce and effectively manage complexity, simplifies management of data, reduces operations’ costs and cost of risk. Transparency, reliability, trust and performance will increase organizations’ competitive advantage. Besides the obligation to adhere to the GDPR eccenca’s technology opens up opportunities to support a broader range of data governance and data alignment initiatives, beyond the mere scope of GDPR.
GDPR is one of the most challenging regulatory initiatives of recent times. When done right, it is a huge opportunity to win trust of customers, creating a substantial competitive advantage in a crowded field.
This concludes the final part of our three-part series on the GDPR – you can find the first part here and the second part here. This post as well as the entire series is the result of our collaboration with eccenca, a software and solutions company. eccenca’s next generation data management solutions are driving automation and rationalization for metadata management, data integration, analytics and data driven processes. By turning ‘strings into things’, eccenca is creating meaningful and machine interpretable knowledge graphs that allow the integrative interpretation of previously siloed data across the enterprise or even throughout value networks. To find out more, go to www.eccenca.com You can meet eccenca showcasing their data management solution at the 2018 Chief Data Officer Exchange and the Marcus Evans 4th Annual Data Quality and Consistency in Banking to find out how they use it to help with the challenges of GDPR.
PlanetCompliance only publishes sponsored content from companies whose products and services we think our audience will find valuable or interesting. For additional information about we handle partnerships and content production, please have a look at the PlanetCompliance Disclosure Policy, which you can find here.