Thursday, April 6, 2017

How The GDPR Can Propel An Organization's Informational Infrastructure

I concluded my recent post "GDPR - More Than Just Another Regulation" stating that the GDPR (General Data Protection Regulation) forces organizations to prioritize a long-due overhaul of their informational infrastructure. 

In my understanding, a contemporary informational infrastructure is a system of people, processes and tools that covers the five business disciplines represented in the image below whereas each level builds on the lower one.

Due to my observations, a vast number of organizations find themselves in the status where upper management hopes to advance level 4 and 5 to get the edge over the competition while business departments still struggle with the quality of level 3 due to a lack of foundation in level 1 and 2.

How does that relate to an organization's capability to comply with the GDPR? 

The sole purpose of the GDPR is the protection of an individual's rights as the owner of their personal data. However, since personal data are at the core of almost any business and even any business transaction, the GDPR's provisions imply a certain informational infrastructure. 

For example, GDPR grants any individual ("data subject") residing in the EU a far-reaching control over its personal data records throughout the complete data life cycle with an organization, i.e. control over Create, Read, Update and Delete of its personal data. 
  • Create: The creation of records requires the data subject's explicit consent [Art. 6 et al.]. 
  • Read: The data subject has the right at any time to know the total scope of captured and stored metadata and values related to its personal data [Art. 15 et al.] and to object to processing of its data for certain purposes [Art. 21 et al.].
  • Update: The data subject has the right to rectify its personal data [Art. 16].
  • Delete: The data subject has the right "to be forgotten", i.e. its personal data to be deleted upon demand [Art. 17]. (Note: The data subject can only exercise this right, if there is no other legal obligation for the controller to retain the data subject's personal data, e.g. the obligation to document (recent) commercial transactions with the data subject.

Although the provisions of the GDPR do not explicitly mention any infrastructural measures as of level 1 and 2, it is obvious that the controller can only comply with the rights of the data subject, if the whereabouts of the data subject's personal data are completely transparent at any time, i.e. if the controller employs
  • a data model of the personal data (that shows all the references and physical storages of personal data throughout the organization) [prerequisite for rectification and deletion] 
  • a map that shows all the information flows of personal data (data flow diagram, process model) through the organization [prerequisite for information about the usage purposes and potential objection] 
  • a functioning Master Data Management system that maintains "golden" records of personal data (or at least keeps possibly multiple records in sync) [prerequisite for rectification and deletion] 
  • a functioning Data Governance system [prerequisite to comply with the GDPR in general] 

Organizations should welcome the GDPR as they will profit from these measures far beyond the purpose of complying with this regulation...

Monday, April 3, 2017

GDPR - More Than Just Another Regulation

It has become all too common that business initiatives targeting infrastructural improvements such as Enterprise Architecture & Business Modeling, Data Governance & Master Data Management, Privacy & Data Protection are put on the back-burner or are totally suppressed in favor of endeavors that promise monetary benefits in the short term.

Accordingly, few organizations are really prepared for a timely response to requirements imposed by law or by industry-specific regulatory authorities. Considering the usually moderate fines for non-compliance and potentially little other consequences, delayed reaction and acceptance of the risk to eventually be hit by the proverbial stick have become an element of business calculation.

When conceiving the General Data Protection Regulation (GDPR), the European Union (EU) obviously anticipated that a non-negligible number of organizations would be reluctant to comply rather than making reasonable efforts. EU lawmakers have therefore replaced the penalty stick with a sledgehammer right out of the gate (May 2018). In plain English, the EU's powerful message says: 

"If you, the organizations of the world, process personal data of our people, you have to respect the provisions of the GDPR, otherwise we will hold you accountable with fines of EUR 20 million in minimum, while in return we apply the same rules to our organizations when it comes to the treatment of the personal data of your people."

Not emphasizing nations or ideologies, but simply putting people first, is not only a strong political statement, but a directive that will change the way how business will be done in the foreseeable future. It is a contemporary way of saying "the customer is king" while forcing organizations to prioritize the long-due overhaul of their informational infrastructure. 

Too bad that we need lawmakers to remind us of what should have been common sense in the first place.