The EU General Data Protection Regulation (“GDPR”) came into force on May 24, 2016. Companies offering goods or services to individuals in the EU have until May 25, 2018 to comply with the requirements set out by the GDPR. While GDPR requirements may appear rather prescriptive compared to its predecessor – the EU Data Protection Directive – the GDPR advocates for a systematic and organized compliance culture.
Article 30 of the GDPR requires companies to maintain detailed records of their processing activities as means to demonstrate accountability. The records of processing must include: a) details of the controller; b) purposes of the processing; c) details of the categories of data subjects and personal data; d) categories of recipients of personal data; e) cross-border data transfers and suitable safeguards; f) retention period; and g) a general description of the technical and organizational security measures.
We previously discussed how data maps can help controllers identify the “5 W’s” (Who/Where/What/When/Why) of personal data and comply with the Article 30 requirements. Here, we consider how Enterprise Data Management (“EDM”) will help companies effectively manage their obligations under GDPR while optimizing their Big Data opportunities.
In a Capegemini report, EDM is defined as “the development, execution and supervision of plans, policies, programs and practices that control, protect, deliver and enhance the value of data and information assets ”. The same report also identifies the following EDM capabilities: critical data inventory, data integration, data profiling, data quality, metadata management, master data management, reference data management, and data privacy (anonymization). EDM focuses on the technology components of a comprehensive Information Governance ("IG") strategy.
Ongoing legal compliance, an ultimate necessity and measure of a successful IG strategy, requires companies to be transparent about and accountable for the information they create, use, manage, store and dispose of. Companies should integrate EDM capabilities into their IG strategy in order to meet the challenges of ongoing legal compliance as well as to optimize their management of information. EDM capabilities provide companies with the technical solutions to accurately identify and tag the details required by Article 30 of the GDPR.
EDM is the forward-looking way to comply with GDPR. To fully comply with GDPR, companies must embrace the concept of “privacy by design” and embed privacy into technology. By adopting a comprehensive IG strategy which incorporates EDM, companies will have to ensure transparent and open communication between IT, Compliance and all business units in order to monitor and control the effectiveness of their IG strategy.
Contributors - Frances Chen and Nadia Rauf