Is GDPR - the General Data Protection Regulation enforced by the EU on the 25th of May 2018—yet another obstacle and nuisance to the much-burdened CIOs, or is it a positive game-changer that can help drive new business and make organizations more efficient?
In the following, I will try to explore how the newly enforced GDPR can actually benefit the CIO and, of course, the whole organization that the CIO represents.
The CIO is charged with one of the most challenging jobs within IT: they must not only avert external threats but must also be a business driver and use new technology and data to increase turnover.
Today’s CIOs—if not officially appointed, then at least filling out the role—face many threats like data breaches, ransomware, viruses, cunning phishing attempts, shadow IT, and brute force attacks that can paralyze an organization for weeks and cost fortunes.
They also encounter new regulations, a fickle public opinion and quickly shifting trends—issues that create a general nervousness and occasional panic in companies and organizations.
That is the reason CIOs exist: there must be a person who can anticipate market trends and uphold a high security standard. The CIO is both expected to be a problem-solving digital wiz and the one to be discharged when things go wrong (e.g., in case of data breaches).
Often the CIO is also a lone fighter up against a lack of knowledge and a hesitancy toward IT investments caused by the same nervousness and possible panic they must mitigate.
These hard facts of daily life often leave the CIO in a more reactive role, whereas the CIO should be more strategic and proactive in leveraging new technology and data and discovering and evaluating trends that can act as a business driver.
According to the Global CIO Survey from Logicalis, especially European CIOs see data regulations as a barrier, which is likely because of the GDPR.
The question is whether the GDPR is rightfully considered a potential hazard or business threat, impeding organizations from achieving their goals, or if we can change the perspective and use GDPR as a lever to pursue business goals.
Looking closer at GDPR, it is likely that the CIO can leverage this new regulation to their benefits as well as the company’s success.
At its core, GDPR is intended to protect companies as well as consumers and citizens in a digital world. More precisely, GDPR secures private consumers’ ownership to their data, formulated as five specified rights:
1. The right to be forgotten – the organization will have to delete all of the data of an individual if he or she requests it.
2. The right to object – individuals can say no to certain data use such as profiling for marketing purposes.
3. The right to rectification – individuals can have incomplete data completed.
4. Right of access – individuals will have the right to know what data is being processed and how.
5. The right to data portability – individuals can transmit their data from one organization to another without hindrance.
When organizations embark to meet these rights and to become compliant with the regulation, they and their CIOs face a new set of processes related to data governance, which on the surface can seem like barriers.
Just to name a few:
Many organizations are urged to appoint a data protection officer (DPO) in order to be compliant with GDPR. Sometimes, the CIOs appoint DPOs, but most often the CISO or the Legal Officer. In other cases they will take that role upon themselves, which adds to both workload and responsibilities.
They must formulate policies that prescribe their handling of personal data—documented data governance is becoming a requirement from suppliers and customers.
Organizations must minimize their data collection and processing to only necessary actions.
They must abide to limited data retention because it is fundamental in GDPR that personal data doesn’t float around in systems for years for no specific reason.
Organizations must also obtain (renewed) consent from users to use their data for marketing purposes and offer a clear opt-out possibility.
Organizations simply need to manage their documents better. But, the CIO—being the person in charge of this change of digital management that GDPR has brought about—can make a virtue of necessity. There are undeniable upsides of GDPR for the CIO, who is expected to deliver both digital change and increased turnover.
I will mention a few examples of how the CIO can use GDPR to leverage good data governance.
The leap from reactive to proactive: the CIO and the organization, which has pushed this workload in front of it for some time, can use GDPR as a springboard for a proactive and strategic approach to data governance, risk management and IT investments in general.
Data cleaning: the required renewal of consent to receive marketing material in the future will probably cause some users to reconsider their engagement and opt out. But, the upside is that organizations can use this opportunity to clean their data and end up with a higher quality of users in their database. Companies are allowed to send out more than one reminder and take advantage of this for a strong messaging.
IT upgrade: GDPR helps the CIO state their argument for introducing good data governance and replacing legacy IT with state-of-the-art software. GDPR forces a streamlining of personal data upon organizations, which urges them to find ways to simplify data processing and introduce good data governance. For the CIO who has been arguing for an upgrade or even a disposal of legacy systems, GDPR could be the trigger to free budgets and make the organization see the bigger picture.
Good data governance: GDPR is about data protection. The CIO who embraces GDPR by applying good data governance will achieve not only compliance but also several positive commercial side effects, including efficiency and speed and enhanced reputation management.
For good data governance, a few more points of interest include:
Good data governance means to secure easy access to master data—and this is crucial in cases where a user wishes to be forgotten or to exercise her right to have her data rectified.
Good data governance implies creating a single version of the truth for customer data—a much-wanted feature for those who struggle with duplicate customer data and therefore cannot be sure if they have deleted the full history of a user or maybe send letters to the same person under different names.
Good data governance secures accountability by appointing data owners and ensures integrity through updated and reviewed data processing. The results bear a clear commercial advantage because compliance with GDPR through good data governance becomes a quality stamp that says “You can trust in us and safely do business with us.”
New technology that supports compliance with GDPR, good data governance and commercial goals is the kind that gathers master data instead of spreading it out on several hubs, which creates a single version of the truth and connects data instead of disconnecting it.
If the CIO should evolve into an agent of change, they will have to drive not only digital change but very often also a cultural change. GDPR could be the catalyst that sets things in motion towards a higher awareness of data governance and a more holistic view of IT infrastructure.
GDPR must therefore not be another hindrance for already overburdened CIOs but must instead be a game-changer that clears the road to true IT enablement with some manifest commercial side effects.