The implementation of the General Data Protection Regulation (GDPR) is intrinsically linked to a company’s data governance program. Numerous articles have linked to the two initiatives, but none so clearly as Dennis Slattery’s recent article on LinkedIn. The analogy of a wedding between Governance and Privacy is very fitting but also highlights a key factor: a successful long-term marriage is based on strong foundations and mutual effort, or as Henry Ford put it: “Coming together is a beginning; keeping together is progress; working together is success.” So how do we make this a successful marriage?
The GDPR regulation is very clear on what needs to be done to protect the Data Citizen’s rights, but the open question most companies are facing is how to comply with the regulation and/or go beyond the minimum and make GDPR work for them.
Most discussions around how to implement GDPR today are focused on one of two approaches: top down or bottom up. I would argue that the approaches are not mutually exclusive and that a successful implementation of GDPR must be based on a combination of these complementary approaches.
In a top down approach, the GDPR team will reach out to the business to get a clear understanding of all business (data) processes that involve personal data in one way or another. For each process (think of third party credit checks, address verification, data analytics, and more) there are a number of attributes that need be clarified such as:
This is not a one-time effort: once all process related to personal data are identified and categorized, they will need to be maintained as the organization, its infrastructure, and processes evolve over time.
The bottom up approach is more technical in nature.