Four essential pillars of GDPR compliance
The four essential pillars of General Data Protection Regulation (GDPR) compliance are people, data, technology and processes.
This is according to Gary Allemann, MD at Master Data Management, speaking yesterday at ITWeb's GDPR 2018 Update held in Johannesburg.
In May, the European Union's (EU's) GDPR came into effect. This stringent privacy law, which covers any organisation that processes information about EU residents, will profoundly affect the way data is collected, stored and used, not just within the EU, but for South African companies doing business in Europe too.
Discussing how local organisations can accelerate their GDPR compliance efforts through data governance, Allemann explained the European regulation requires a new approach to governing personal data, which must be centred on technology, people, data, and processes.
"New data management processes and artefacts must be maintained to be GDPR compliant. Both the Protection of Personal Information (POPI) Act and the GDPR regulations legislate a new approach to governing personal data, focusing on accountability, processing limitations, geographic, data quality as well as security.
"People's roles and responsibilities are a starting point of data governance because somebody has to take responsibility and accountability of personal data at different layers of the organisation. People have to be assigned to particular data elements and particular systems and processes, which have to be tracked. These people also have to be involved in decision-making about where customer data should be stored and which third parties should have access to this data."
One of the biggest compliance challenges faced by large local organisations is that they don't know which employee has access to which data and why, continued Allemann. This problem, he explained, often becomes a great threat to the data security of an organisation, leading to avoidable human errors.
"Accountability at multiple levels is a key principle of GDPR," Allemann pointed out.
Discussing the role of technology in GDPR compliance, Allemann explained that tools such as GDPR accelerator platforms can help organisations gain impact analysis capabilities, while also being used as a functionality to securely archive information.
"While technology doesn't make you compliant to GDPR, it does give organisations a head-start because it gives them an array of tools to improve their compliance requirements. One such example is a data governance accelerator platform, which brings together GDPR requirements, packaged as a set of essential tools for workflows, reports, and data models that allow organisations to capture the documentation that is necessary from both a GDPR and POPI perspective.
"Companies that leverage accelerators for GDPR will achieve compliance more quickly and at a lower cost, while reaping the benefits of better understanding their client data landscape."
Following the right processes, he continued, is an important part of GDPR compliance as it helps outline an organisation's responsibilities and processes, to standardise, integrate, protect and store corporate data.
"Organisations should be able to manage and provide a comprehensive view of their processing activities and demonstrate a clear audit trail for on-boarding new processes and the risk-level of data types. Consistent, uniform data and processes across the organisation are a prerequisite for better and more comprehensive decision support."