Using your data responsibly and strategically with regards to the upcoming GDPR

Increasingly, companies are realising that data can be a strategic asset. Smart use of data can improve the efficiency of processes within the organisation, allowing the organisation to help their customers more efficiently. Simply put, using your data as a strategic asset will boost your organisation’s productivity. That sounds great, but isn’t using this data at odds with ensuring the privacy of the people whose data is concerned? Especially with the new and much stricter European privacy regulations (General Data Protection Regulation, or GDPR) coming up; the GDPR will go into effect coming May 25th, and replace current privacy legislation. It will apply to all companies that gather data on persons.

The solution is having a good governance policy with regards to data, also called data governance. All too often organisations do not deal with this aspect of operational management properly; a missed opportunity! Data governance makes it possible to reach your data goals while also guaranteeing privacy and compliance with regulations.

Is data governance on your organisation’s agenda yet? Lucas at Landscape Data Science and Eveline at Solon Advocaten will explain the three steps you’ll need to take to get started!

About the authors

Eveline de Jonge
Lucas van der Meer

Eveline de Jonge is lawyer at Solon Advocaten in The Hague.

Lucas van der Meer was head of advisory and co-founder of Landscape Data Science in Leiden.

1. Strategy

Lucas: Investing in data helps a lot of companies forward. For example, data helps increase the efficiency of processes and makes services more valuable to customers. The first step in data governance is establishing goals in a clear data strategy. Investing in data should never be a goal in itself, it should serve as a means to achieve company goals.

If you know which goals you want to achieve with the help of data, you can translate this to an action plan. Start with an experiment that proves that your goal is attainable: a proof of concept. Because if it fails, it’s better that it fails fast and small rather than slow and big. After a proof of concept you can expand the scope of the project.

Eveline: Processing data with a specific goal is also essential with regards to privacy. Personal data can only be collected for clearly and explicitly defined and justified goals. Both current legislation and the upcoming GDPR stipulate this. You are also obligated to communicate these goals to the people whose personal data you are collecting. One way to comply is through a privacy statement.

Personal data may not be stored for longer than is required to meet the stated goals. So-called data minimisation is one of the principles of current as well as upcoming legislation. So only collect data after determining and stating clear goals, and don’t collect more data than required to meet these goals. Has some of this data become redundant or obsolete? Then delete the data. Not only is this a legal requirement, it also lowers the risks of a leak.

2. Overview of the data in your possession.

Lucas: The next step to take towards successful and responsible use of data in your organisation is mapping your important data sources - such as customer data or employee data - and how this data flows through your organisation. We call these important data sources data assets. This overview helps you determine which data assets are most suited to help you achieve your goals, and helps identify where extra data collection may be needed.

Eveline: Creating an inventory of data sources is also important in light of legislation. The new privacy legislation assigns more responsibilities to companies than they currently have. One of the responsibilities introduced is an expanded obligation to document uses and storage of data. In a processing register companies must document which departments use which information systems, and which personal data is processed towards which ends. In addition, a description of suitable retention periods and technical and organisational security measures taken to protect the data must be present. In short: mapping your data assets and data flows is essential for compliance.

Lucas: With incredibly low storage costs and concepts such as ‘big data’ it’s easy to overlook the importance of deletion and cleaning: the life cycle of data. Delete or archive data that is not being used. This helps increase the overall data quality; the usability of your data. Define the level of data quality required (and how to measure this) to turn your data strategy into a success.

3. Don’t forget your employees

Lucas: New technical solutions also have organisational implications. For good governance, so-called ARCI diagrams can be of value. Who is accountable for a data set? Who is responsible for day-to-day processing? Who is consulted on a day-to-day basis? Who is informed of changes? An unambiguous assignment of these tasks provides clarity and helps prevent a situation where no one feels responsible for data assets.

Eveline: Clearly defining and assigning all responsibilities - on both the management and executive level - is a measure that is seen as standard, and often imperative, by the Dutch privacy authority. When everyone within an organisation knows their responsibilities, the next challenge to face is integrating the privacy policy into daily practice. Periodically training employees with regards to privacy and data security is also seen as a security measure by the privacy authority.

Result: Win-win

When you have a clear picture of your data strategy in mind, when you have mapped your data sources, your processing register is in order, and there is awareness amongst your employees; you have laid the foundation for good data governance.

Lucas: Without data governance, investments in data are often a waste of money. You should see data governance as a requirement for efficiently using your data.

Eveline: Moreover, data governance enables you to be compliant with privacy laws. You’re treating (the data of) your customers and employees with the protection they are entitled to. It’s better to be safe than sorry: at this moment the maximum fine for non-compliance is €900,000. With the new GDPR this maximum fine becomes a maximum of €20 million or 4% of your annual global revenue.

Is your company ready for the General Data Protection Regulation?

Landscape Data Science & Solon Advocaten offer a joint GDPR scan where the legal, technical and organisational aspects of your collected data will be reviewed.

Make an appointment