GDPR has put ‘personal data’ at the top of the corporate agenda. Add it to the other privacy laws now appearing worldwide, such as Australia’s APP and Canada’s PIPEDA, and it’s no wonder that organisations are paying close attention.
However, unlike most of their enterprise data, organisations are only custodians rather than owners of personal data – the personal, identifying information they store on customers, prospects and other individuals actually belongs to those people.
This has profound implications on the transparency requirements involved in that data and the ways in which it can be harvested, processed and monetised. Together with the risk of reputational damage involved in GDPR non-compliance (as well as fines of up to €20 million or four percent of annual turnover, whichever is higher), this will fundamentally change the commercial dynamics for processing and sharing personal data.
It is why organisations need personal data governance: a dynamic, transparent and secure operational system for the management of that personal data and the entire personal data ecosystem. It then supports not only their organisational and regulatory requirements, but also provides transparency for the rights of data subjects and visibility across the entire supply chain.
From a personal data governance perspective, everything revolves around business processes. The required level of comprehension is only possible if businesses are able to discover and document all their processes and the associated data flows — internal and external, as appropriate, and not just within the enterprise but throughout its supply chain too.
A successful approach therefore requires, among other functions: management and insight from one comprehensive system; a dynamic ability to respond to changes; risk measurement and management; full governance and management of the personal data lifecycle; and transparency, effectiveness and efficiency with respect to the rights of data subjects.
At a broader strategic level, corporate governance is a system for understanding the rights and responsibilities of business leaders and monitoring the actions, policies, practices and decisions of organisations, their agents and affected stakeholders. Where it fails, business scandals like Enron follow.
Personal data governance is required to create similar rules and accountability around the use – and potential misuse – of personal data. In the end, governance is how businesses create trust.
And in the new, post-GDPR world, trust is more than a nice-to-have. In fact, it is a source of competitive advantage. Companies that fail the personal data governance test will have those failures publicly revealed and face potentially crippling reputational damage to their brand that even outweighs the fines. And remember that the likes of GDPR are only the beginning: where personal data is such a valued commodity, consumers will begin to understand that value and employ it accordingly.
For more information about personal data governance, and how trust-hub is helping businesses to develop their strategies, please contact us at +44 (0)20 3582 5055, request a demo of our Privacy Lens.
Please sign up above to be first in line when the IDC’s executive briefing “Privacy is Strategic - we call it personal data governance” is released.