How data governance can support data privacy compliance

Organizations that already have a data governance capability in place have a solid head start and can leverage it to facilitate many aspects of data privacy compliance

Agile Innovations in Data Management

GDPR. CCPA. What’s next? Data privacy regulations are just starting to take hold. As of the end of 2018, we’re over 6 months past the GDPR deadline, and barely a year away from the California Consumer Privacy Act. Many companies are still analyzing and formulating their approaches to these new regulations. A recent survey by the International Association of Privacy Professionals notes that more than 50 percent of companies estimate that they are not yet compliant with the GDPR.

However, these regulations are part of a growing desire by consumers to ensure that organizations take more care with their data. Their impact is global and real, and there will be more enacted, in the form of additional states (Georgia?), or even at the federal level.

The first major GDPR fine was Google’s $57 million fine from the French data authority, which Google plans to appeal. The regulator laid out two areas in which Google was failing to meet GDPR standards:

  1. Information relating to what data was being collected, why it was being processed and how long it would be stored was not easily accessible, sometimes requiring five to six steps for users to locate. Once located, information was not always presented in a clear or comprehensive manner, inhibiting user understanding of Google’s processing operations for ad personalization.
  2. Consent obtained from users for data processing was not sufficiently informed and was not “specific” or “unambiguous.” Users were not aware of the extent of data processing, and consent was not obtained for each distinct processing operation.

Many fines related to GDPR have since been levied. Some are related to data breaches. Others are more concerned with how data is managed and used. For example:

According to The Privacy Advisor on January 3, 2019, the first GDPR fine in Portugal was issued against a hospital for 3 violations. First was a violation of the minimization principle, allowing indiscriminate access to an excessive number of users. Second was a violation of integrity and confidentiality as a result of non-application of technical and organizational measures to prevent unlawful access to personal data. Third was the non-implementation of technical and organizational measures to ensure a level of security adequate to the risk.