What is GDPR?
The GDPR (General Data Protection Regulation) aims to create a legal framework for data protection in the European Union, with the aim of increasing citizens' control over their personal data. To this end, this regulation acts on those who store and make use of this data, and has therefore defined a much stricter set of rules than those that currently govern the use of personal data.
When we talk in the previous paragraph about the set of rules imposed by the GDPR, we are referring to a set of regulations that oblige companies to have a much more exhaustive knowledge of where and for what personal data is used. What does this knowledge that companies must have translate into? For example, companies should be able to answer questions such as
- What kind of data do we handle about our clients?
- Within the organization, who is responsible for this data?
- What data do we share with third parties?
- What are they being used for within the company?
- How can we eliminate them from the company?
Who does this apply to? Is it mandatory for all companies worldwide? No, it does not apply to all companies worldwide. It applies to all companies inside or outside the European Union that want to offer their services to customers located in Europe.
How can organizations adapt to comply with the new regulation?
The organizations must put together a plan that will allow them to comply with each of the points dealt with in the new General Data Protection Regulations. There are many companies that help to implement the new regulation within companies and have prepared guides to help define such a plan in the organizations that must adapt to the GDPR. These guides, which facilitate the adoption of the regulation, ensure that the plan defined must respond to and take into account the following objectives:
- To make decision-makers in your organization aware of the entry into force of the GDPR, and of the innovations that this regulation entails.
- Know what personal data you have, where it comes from and with whom you share it.
- Review the company's current privacy notices and make any changes necessary for the implementation of GDPR.
- Ensure that definitions of new procedures cover the rights that individuals have, and include new procedures such as deletion of personal data.
- Review each type of data processing carried out by the organization in order to validate its legal basis.
- Validate and document how the customer's consent is obtained and stored with regard to the use and storage of their personal data.
- Define procedures that allow the organization to verify the age of individuals and how to obtain parental consent for inclusion in data processing.
- Assign someone to take responsibility for data protection compliance and assess where this function will be located within your organisation's governance structure and arrangements.
Furthermore, all this that companies must take into account when defining the plan that will allow them to comply with the new regulation can be classified into four main elements:
- Policies, with which to establish the regulations that will help the company comply with the regulations.
- Validation rules, which allow to define how to measure the compliance or not of the defined policies.
- Procedures, where it will be defined how to carry out each of the policies defined to carry out the regulations.
- People, you must define a series of roles with their associated responsibilities and assign people to these defined roles. These individuals will be responsible for implementing procedures and ensuring compliance with policies.
And isn't all this part of a model of government?
Data governance helps an organization acquire the ability to manage the knowledge it has about its information, establish procedures to manage, improve and leverage information in a way that helps the company's decision making and cost evaluation.
When a company does not have data governance, the data is not integrated into a concept within the organization's knowledge taxonomy and its control is difficult, or in some cases impossible.
Data governance is a function of control and coordination between the company's departments; in order to carry out its objective the company must have a consensus:
- Define roles and responsibilities.
- Establish policies.
- Define procedures that carry out the policies.
Is it important to implement a governance model in the company?
If we take into consideration everything we have seen in this article, GDPR is not just another excuse to implement a governance model in your organization. But it is also an excuse that can help you to avoid important economic sanctions linked to this new regulation. But it should not be the only motivation to implement a governance model in an organization, because new regulations will come and the sooner a company is able to manage its data, the sooner it will be able to make decisions and evaluate costs on its data in a more agile and economic way.
And what do companies and users think?
From the users' point of view, the new regulation is a step forward to allow everyone to own their personal data in an era where Social Networks and Internet companies do business with such data for multiple purposes: Marketing, Advertising, etc., without the user being able to know these transactions.
From the point of view of the companies, the round table organized on the GDPR, in the last edition of Big Data Spain 2017, put on the table the possibility that the application of this regulation, in addition to the investment it represents for European companies that must adapt to this new framework, means a reduction in their competitiveness against other large non-European companies that do not have to adapt to this legal framework. Therefore, European companies would not compete with companies from other world powers such as China or the USA under the same rules.
