The business case for applying GDPR-level data governance across regions

The European Union’s General Data Protection Regulation (GDPR) is upon us, becoming enforceable on May 25, 2018. It’s no exaggeration to say that achieving compliance (as well as being able to demonstrate compliance) requires that companies make a fundamental shift in how they approach data governance. Companies worldwide are struggling with the magnitude and scope of the GDPR; however, those that get data governance right can reap significant benefits.

Yet, the reality is, many companies with operations outside of the scope of the GDPR are struggling with the question of whether to comply with the GDPR across their multinational operations (that is, not just for the EU operations).

Facebook is one particularly high-profile example. Facebook CEO Mark Zuckerberg told Reuters on April 3 that the company would not extend GDPR-level privacy standards to its users outside the EU (although Zuckerberg did say that Facebook would like to make GDPR-type privacy guarantees “in spirit”).

Then, on April 17, Facebook announced that it was introducing a “new privacy experience for everyone on Facebook as part of the EU’s General Data Protection Regulation (GDPR)….no matter where they live.”

Of course, Facebook finds itself in a unique position that I don’t need to go into in this blog post (Cambridge Analytica, anyone?); however, extending GDPR-level protections around the world is, to me, clearly the wisest choice Facebook (or any company) could have made—regardless of the microscope that company currently finds itself under. That’s because complying with GDPR (the world’s most rigorous data-privacy framework) also goes a long way toward ensuring good data management—and that’s simply a must in this day and age.

So, what do multinational companies stand to gain from applying GDPR-level data-management practices across their operations?

Better decision making: 

• One of the key benefits of data governance is better decision making. This applies to both the decision-making process, as well as the decisions themselves.
• Well-governed data is more discoverable, making it easier for the relevant parties to identify meaningful trends and gain useful insights into the data. It also means decisions will be based on the right data at the right time, ensuring greater accuracy and trust (and reduced costs associated with bad data.)

Operational efficiency: 

• Better data governance leads to reduced time-to-market for critical business decisions.

Data quality: 

• Because data governance aids in discoverability, businesses with effective data governance programs also benefit from improved data quality. Data quality refers to know how useful and complete data is, whereas data governance relates to knowing where the data is, who is responsible for it, and how the data will be maintained.
• Although technically two separate initiatives, some of the goals of data governance and data quality overlap. These include, but are not limited to, the standardization of data and its consistency.

Data compliance: 

• As I alluded to in the introduction, if you haven’t yet adopted a data governance program, compliance is a strong reason to do so. Large fines with an upper limit of $20 million or 4 percent or annual global turnover—whichever is greater—certainly give one pause.
• It could be argued that to be truly data-driven, which leading companies almost universally embrace as a top objective, effective data governance is a must. In that sense, GDPR fines are only incentivizing something that companies should already be doing. Data-driven businesses that aren’t embracing the aforementioned goals around data governance are fundamentally stifling their own performance.

Reduced liability footprint and reduced costs: 

• Core components of data governance are data minimization and data retention:
  • Data minimization means that companies are only gathering the absolute minimum amount of data to meet their business requirements. This reduces the company’s exposure in the event of a breach.
  • Data retention: Companies that implement data-retention schedules delete unnecessary data after the initial intended purposes of the processing have been completed or when the data is no longer needed—this also reduces liability in the event of a breach.
• Strategic data minimization and retention also result in a smaller data footprint, which equals reduced infrastructure costs (storage, licensing, backups, staffing levels).

Increased revenue: 

• Driving revenue is high on the benefit list for GDPR-level data management. All the benefits of data governance addressed above help businesses make better, faster decisions with more certainty.
• Rigorous data governance means that companies make fewer costly errors in the form of false starts and even data breaches. It means that you spend less money by managing risk and closing the most vulnerable holes in your business’s security, instead of more money retrospectively, dealing with bad PR and financial fallout.

Data protections laws are here to stay—and they’re spreading

The EU is not the only legal jurisdiction that has data privacy and protection frameworks in place or has plans to pass data privacy legislation. South Africa, Jamaica, and India are exploring or adopting data-privacy laws. California is currently looking at a new data privacy law that is very GDPR-like.

Probably sooner rather than later, every company will need to address the legal and regulatory landscape around rigorous data-privacy regulations. However, companies that only approach data governance with a check-the-box approach to satisfying regulatory obligations may lose out on the benefits of a holistic approach to data governance.

Scott Wilson is Chief Information Security Officer & Privacy Officer for Ventiv Technology. Contact Scott at scott.wilson@ventivtech.com. Connect with Scott at LinkedIn.