By Dennis Slattery, CEO of EDMworks
The governance community is getting married to the privacy community.
But how do we make sure the marriage is long and happy? The challenges are many and the General Data Protection Regulation (GDPR) is one example of a flood of privacy/trust laws that will impact the couple. The changes needed to processes, systems, contracts, governance and accountabilities are truly huge.
Governance has history. It used to cohabit with Risk!
January 1st 2016 was the ‘go live’ date for sell-side BCBS 239 and buy-side Solvency II regulations, both of which accelerated the implementation of governance disciplines including data ownership/accountability, policies, lineage/data flow, measurable quality, and senior management accountability.
BCBS 239 is criticised for a lack of measurable success criteria, ‘Material or Full Compliance’ are terms without objective measures. For many, the regulation was seen as a risk department issue, ignoring the fact that most risk data originates in upstream business and transaction units. Many people working on the data supply chain still do not understand the underlying principles needed to maintain firm wide fit-for-purpose data and evidence of cultural change is thin on the ground.
Lessons for GDPR implementation:
- Top level sponsorship is essential
- Ongoing communication is needed
- Measures of success are critical
- Personal data will exist in more areas than you imagine
- Data is at the heart of the business and needs to be managed as an asset for the overall benefit of the firm.
Should IT be invited to the wedding?
IT has had a lot of bad press for being more interested in technology and less interested in benefits for the firm, while outsourcing of critical systems and staff has meant a huge loss of knowledge and expertise. If you haven’t already done so, it’s time to forgive, forget and embrace. IT needs to be at the heart of change for GDPR.
Lessons for GDPR:
- Major effort lies in adapting legacy systems and processes
- ‘Privacy by design and default’ is a core concept within GDPR and must be embedded in new systems and crafted onto existing legacy systems and networks
- ‘Consent management’ requires careful analysis, planning and change, (great article here from Sima Nadler).
How about inviting the wider family?
GDPR assigns liability for breaches to firms and their sub-contractors so contracts need to be in place and transparency within and between firms needs to exist. Changes envisaged in GDPR are of a cultural nature, whereby people around the firm (and its subcontractors) all need to understand ‘privacy by design’ and know what to do in the case of breaches, near misses and spotting weaknesses.
Lessons for GDPR:
- Culture and values are critical, firm wide communication and training is needed
- Incorporate sub-contractors so they know what to do and have capability consistent with your firm.
What is audit doing at the back of the church? It should at the front.
The role of audit is changing as the world becomes more data centric and regulators do not have bandwidth to carry out detailed assessments. Audit has to self-regulate and evaluate how different parts of the business address regulation and other pressures. Audit has a unique perspective and needs to feed that into the front end of the design process.
Lessons for GDPR:
- Data is at the heart of business, audit needs to become increasingly savvy and proactive
- Audit needs to collaborate with architecture/IT to formulate taxonomies and classifications that can be used use consistently around the firm. Audit use these to build data consistency into every audit it does.
Who is on the top table at the wedding?
The success of GDPR implementation depends on cooperation, collaboration and the support of a broad community within and beyond a firm’s boundaries.
Who needs to be on the top table?
- A board member, privacy is a board level responsibility with powerful sanctions to make top management take notice
- Legal counsel or a data protection officer
- Heads of data governance, operational risk and compliance
- Heads of IT/IS, change and data management
- Heads of product/sales/marketing/customer service/KYC/AML and other stakeholders for personal data
- Head of HR.
What should be in the dowry?
Governance functions should reach out to privacy and ensure they provide a dowry incorporating:
- Existing data dictionary definitions, lineage/data flows, quality measures
- An honest assessment of the capabilities and effectiveness of their lineage work
- An honest assessment of the current state of data ownership and accountability
- A set of data governance tools.
I hope you enjoyed reading about the wedding. Feel free to use the analogy as you wish. Further information on the topic and related events can be found here: