Inthisexpertinterviewseries,PaigeBartley,SeniorAnalystforDataandEnterpriseIntelligenceatOvum,discussesthestateofGDPRreadiness,andhowdataquality,dataavailabilityanddatalineageplayintotheGDPRcompliancelandscape。

Part2weighsinontheroleofdatalineage,dataquality,anddataavailabilityinGDPRcomplianceaswellasthelevelofenforcementthatweshouldexpectafterthedeadline。

Whatroledodatalineage,dataquality,anddataavailabilityplayinGDPRcompliance?

Datalineage,dataquality,anddataavailabilityareinherentlylinkedtoGDPRviaseveralmechanisms。

Whenitcomestodatalineage,article30ofGDPRdetailstherequirementsforrecordsofprocessingactivitiesonpersonaldata。

Thisentailsrequirementsformaintainingrecordsofthepurposesofprocessing,recordsofdatatransferstonon-EUlocations,andrecordsofwhothedatawasdisclosedto,amongotherrequirements。

Whiledatalineageisneverspecificallymandatedinthetextoftheregulation,lineageiscriticaltounderstandinghowdatawashandled,whoitwashandledby,andwhereitwashandled。

Datalineage,whentrackedatagranularlevel,canprovidethemeansforautomatedreportingthatcanfulfillArticle30srequirements。

Furthermore,itcanprovidetheenterprisewithamechanismforArticle31requirementsforcooperationwithsupervisoryauthorities;whentheorganizationunderstandseveryactionthathasbeentakenonagivenpieceofpersonaldata,itismucheasiertocommunicatewithsupervisoryauthoritiesanddemonstratethatcompliancehasbeenmaintainedthroughoutthedatahandlingprocess。

Asfordataquality,dataqualityisneithersolelyadirectproductofGDPRcompliancenorsolelyadirectdriverofGDPRcompliance。

Rather,dataqualityistheresultofapositivefeedbackloopbetweencomplianceeffortsandpreexistingdatamanagementinitiatives。

GoodinitialdataqualitywillhelpinGDPRcomplianceinitiativesbecauseitmeansthatdatasubjectswillhavelessopportunitytoinvoketheirArticle16righttorectificationorcorrectionofdata。

ButGDPRcompliance,byvirtue,alsohelpsincreasethequalityofnewdatacollected。

GDPRcomplianceandexplicitconsentpracticesmeanthatthedatacollectedundertheregulationwilllargelybevoluntaryandaccurate。

GDPRisanopportunitytobuildtrustwithconsumers,andtrustedrelationshipsyieldmorerelevantandaccuratedatarelativetotheopt-outconsentmodelwhichcollectsdataopaquely。

Sodataqualityisbothadriverofcomplianceaswellasaproductofit。

Fordataavailability,itsimportanttounderstandthatGDPRisnotatechnicalregulationbynature。

Itfocusesmoreonprocess,andnamesveryfewexplicittechnicalrequirements。

Thisisbydesign。

Iftheregulationwerebuiltaroundspecifictechnicalcapabilities,itwouldquicklybecomeobsolescent,astechnologyevolvesmuchmorequicklythanpolicy。

However,dataavailability,whichisrelativelyuniqueamongsttechnicalcapabilities,isciteddirectlyinGDPRaspartofArticle32srequirementguidelinesfortheSecurityofProcessingofpersonaldata。

Highavailabilityofsystems,whilenotabsolutelymandated,ishighlyencouragedforGDPRcompliance。

HowrigiddoyouexpectGDPRenforcementtobeafterthedeadline?

Doyouthinkregulatorswillfocusonlyonmajorviolationsandbigcompanies,orshouldeveryonebeworriedaboutevenminordeviations?

Initialenforcementwilllikelyfocusonprominent,high-marginorganizationsthatusedatamonetizationastheirprimarybusinessmodel。

Theregulatorybodieshaveonlysomanyresourcesforauditandinvestigation,andtheyarelikelylookingtomakeanexampleofahousehold-nameorganizationthatprocessespersonaldataatscaleasafundamentalpartoftheirbusiness。

MyintuitionisthattheEUwilllikelyseektopursueinitialenforcementagainstanon-EUbusiness,tounderscorethepointthattheregulationisglobalinitsreach。

Thisisnttosaythatsmallerfirmsorminordeviationsfromcompliancewillbeletoffthehook。

Theregulationallowsrobustmechanismsfordatasubjecttolegalremediesagainstdatacontrollersandprocessorswhichhaverunafouloftheregulation。

Article79,inparticular,guaranteestherighttoeffectivejudicialremedyagainstacontrollerorprocessor,openingthedoortoclass-actionlawsuits。

Inthissense,consumerscanbecometheeyesandearsoftheregulatorybodies,takinglegalactionagainstanyfirmthattheyfeelhasnotproperlyprotectedtheirpersonaldata。

Sowhilethesupervisoryauthoritiesmaynotinitiallysetouttoenforceagainstsmallerfirmsorminorinfractions,thereisalwaysthepossibilitythatregularEUcitizensmaylodgeacomplaintorinitiatelegalactionagainstafirmthattheyfeelhasmishandledtheirpersonaldata。

BesuretotuneinforthefinalinstallmentwhenBartleyspeaksaboutthedifferencebetweenthetechnologyandprocessintheGDPRandhowitcanpotentiallyinspireotherregionstocreateregulationsoftheirown。

IfyouwanttolearnmoreaboutGDPRcomplianceandhowSyncsortcanhelp,besuretoviewourwebcastonDataQuality-DrivenGDPR:CompliancewithConfidence。

Letsblockads!

(Why?

)

Syncsort+TrilliumSoftwareBlog