“Information is the oil of the 21st Century”. We have been hearing this phrase so often recently, but what is the reason? We are in a data-driven world. We create data, we share data, we analyze data, we read data, use data for reports, planning and decision making. We are made of data and as we mature in the world, the amount of data matures and increases and organizations accumulate and store more of it. GDPR is a recent buzzword that we have been hearing of especially around Europe, Gulf and Middle East. Read more to find out why.
With the increase in data, organizations begin to resort to information governance to provide a logical framework with clear processes and procedures in managing data for operational, transactional and analytical tasks. What organizations usually miss before doing so is setting clear information governance for a clear vision on what kind of data they are producing as an organization and how they would like to utilize it so they can abstract more significant data and minimize the cost and risks that come with managing it.
In May 2018, the European Union’s General Data Protection Regulation (GDPR) will come to effect. Does this mean anything for organizations? Sure it does and we are about to find out what it means and how it will impact the organizations’ information governance strategy for organizations around the world specifically the Gulf and Middle East!
Better understanding of GDPR…
Simply protecting your rights to data privacy. General Data Protection Regulation (GDPR) is an EU regulation that specifies how data should be used and protected. It was adopted by the EU in 2016 and will be enforced through the EU in May 2018. This does not mean there are limits to what you can do with your data. Your data will belong to you and only you.
How will this concern you if you are in the Gulf and Middle East?
Just because the laws are across the European Union, that does not mean the reach of GDPR will be within Europe only. International business will be affected too. Companies in the Gulf and the Middle East such as KSA, Qatar, UAE, Lebanon and so on, will be asked to implement the “right” information governance by processing the necessary security controls. It is important to mention that many countries in the MENA region including UAE and Qatar have already undergone their own initiatives towards “data protection”, maybe some with less strict details than GDPR, but the overall concept is within organizational structures. An example includes Qatar’s initiative issued in 2016: Data Privacy and Protection Law which has similarities with GDPR.
Who is GDPR applied to?
- Individuals in the European Union
- All companies in the European Union if they provide goods and/or services to residents
- Organizations outside the European Union if they monitor/process behavior/personal data of EU residents
What kind of personal data?
Any kind of data that can help in identifying you. Name, photo, email address, IP address, bank details, medical information, etc…
GDPR Effect on Information Governance?
With the introduction of EU GDPR data privacy became more of a critical element to consider. Many new rules and regulations towards privacy rights, giving more power to data subjects:
- The right to know what is being done with their data
- The right to have their incorrect data corrected
- The right to have their data forgotten
- The right to have restrictions on processing of their data
- The right for data portability
- The right to object for their data being processed
- The right for limited usage of the data collected
- The right to be notified about data violation
Once EU GDPR is put into place, data controllers and data processors will have obligations in terms of how they will handle the data they own as an organization.
How will Organizations Govern their Information after GDPR is introduced?
A new information governance work plan will need to be put in place as an effort to comply with this change bought by the EU GDPR. The following are the list of steps needed:
- Data Privacy Risk Map:
The organizations must start by mapping what data they have and what kind of personal information is included in this data. What processes and procedures they have that are using this personal data and how are the personal data they hold exchanged to and from the organization.
- Data Minimization:
The personal data collected should only be the data the organization needs to be able to process a certain need/requirement. The personal data must be relevant to the case.
- Lifecycle Management:
Data collected must be stored for a limited amount of time and not for a long period of time. Therefore there must be a restriction on the retention duration of this personal data.
- Consent Processes:
Must be simplified so it’s no longer targeted for lawyers to understand. All regular individuals need to be able to comprehend so they can actually give consent for data collection.
- Data Anonymization and Pseudonymization:
Internal data security measures for privacy assurance. Removing any identifiable information from data sets so data owners remain anonymous.
- Strict time-frames for data violation:
The authority needs to be contacted within 72 hours for data breaches. Data leaks and information disclosure can no longer be reported a year later.
- In-house Data Protection Officer:
Organizations will much rather employe an internal data protection officer. The officer will have the power to enforce the GDPR security benchmarks and regulate accordingly.
The culture of Information Governance will see a change within organizations. It’s as though with the GDPR compliance, Organizations begin to fully embrace Information Governance in its true definition of providing operational transparency by managing the use and security or information. GDPR will most likely affect your organization even if you are not in the EU or do not operate in the EU. You should be concerned with the amount of confidential information your organization stores across the enterprise putting the organization at risk of data theft and disclosure of customer’s information. Take action today!