After the Flood: GDPR and the Need for Digital Governance

Blog entry

By Rafael Bloom, director at change management consultancy Salvatore

Markets in Financial Instruments Directive II (MiFID II) and General Data Protection Regulation (GDPR) are landmark pieces of legislation in their own right – but there is one overarching phenomenon that explains the need for these and other such regulations that are springing up across industry verticals.

It turns out that all the talk about Big Data over the past few years was a serious understatement. Data volumes were already big when the term was coined, but are now growing at such a rate that legislation is necessary to protect us all from an unstoppable deluge. It would be nice to think society could adjust naturally to a world of big data, but the evidence to the contrary is clear: unless we are forced to change, mistakes will be made that lead to the erosion of individual privacy, the loss and subsequent misuse of personal data, and the accumulation of unacceptable systemic risks which could conceivably trigger a major societal disruption.

If we can agree that such a profound set of changes will not happen organically, then we can begin to understand that legislation is necessary as the prime mover for change. A robust regulatory structure will tip the balance away from data issues being a ‘cost of doing business’ and towards a culture in which negative consequences for non-compliance outweigh the cost.

GDPR

We must hope that the new wave of data-centric regulations strikes the right balance between impractical heavy-handedness and the reality of putting in place necessary adjustments to technology and processes. After all, most institutions that already comply with the 1990s data protection rules, such as the UK Data Protection Act of 1998, should only have to make minor adjustments to meet new standards. The European GDPR rules around personal data, which come into force in May 2018, extend the scope of the existing regulation, taking in data processors as well as data controllers, and deepening the understanding of what personally identifiable data (PII) is, and the need to include data points such as IP addresses and location data.

In essence, because GDPR functions by endowing data subjects with enhanced rights over their PII, it lets institutions decide for themselves how to make sure such rights are respected. Broadly speaking, this amounts to institutions being able to demonstrate the steps they took to protect personal data over its lifecycle and respect individuals’ data subject rights. When a breach occurs, what an institution did to prepare for the event will have a significant bearing on consequences.
GDPR raises the bar for information governance in society as a whole, and those who bemoan its coming fail to grasp the significance of the new era of rapid data growth. Without it, we are exposing a soft underbelly to those who would use personal data as a tool to commit crimes, to discriminate against certain groups, or to destroy the mutual trust we need to hold an economy together. It would be ridiculous to see legislation as a panacea for these things, but at the same time it would be irresponsible to enter this technological phase without appropriate standards being set and the tools to enforce those standards being put in place.

GDPR is being made the poster child for this legislative trend, which is understandable since it is not industry-specific and affects citizens directly, and also because it is a compelling event that can be used to sell solutions and services. What it really signals is the need for effective governance over data operations, that justice is seen to be done.

Across emerging fintech and regtech industries, one unifying factor is the ability of data to shine a light on the truth. This is the essence of the wave of digital transformation that is changing the way we perform daily tasks from ordering a taxi to executing a block trade. Those who make use of digital transformation will profit, just as those who do not risk being left behind. Just ask the ex-CEOs of Kodak and Blockbuster Video how that went for them.

Digital transformation

Given the confluence of these factors, digital transformation is far from being a fad, but it is also defined in different ways by different sectors. There is value in being able to identify commonalities, and one way to do this is to acknowledge differing levels of ‘digital maturity’. This means digital transformation should not merely be focused on digital tools, but also on helping individuals adapt to new patterns of behaviour.

A proper data governance structure is key to this aim and it must involve all stakeholders within a business, from IT and legal, to financial, customer-facing and human resources functions, with a Data Protection Officer (DPO) leading the charge. Challenges like GDPR should be approached in a holistic manner, rather than forming a committee for each separate challenge and driving actions down through a company’s divisions. We should acknowledge that irrespective of individual regulations, investment in people, coupled with the proper understanding of and control over data lifecycles is essential to effective digital governance.

Rafael Bloom is director of Salvatore, a strategy and change management consultancy, and a founder member of the Digital Governance group together with Atom Consulting and TMotions Global.