Data Governance under the GDPR – questions you should be asking

Data Governance under the GDPR – questions you should be asking

By Steven Orpwood, Senior Consultant and DPO

Ecclesiastes 1:9 is the origin of the common proverb, “There’s nothing new under the sun.” Sometimes this is hard to believe. For instance, the advent of the EU GDPR has been lorded as “something entirely new” by many who would sell you water from your own tap. The question you should be asking yourself when deciding whether to spend your money is “is the GDPR new?”, quickly followed by “if not, why am I spending company money?”.

To answer these we’ll start with the preparatory elements. First, you must remember the importance of data, and in particular personal data in the form of employee and client information, to your business. It’s not possible to overstress the benefits of clean, well maintained, and legitimately held data to any business. In fact, in this day and age, it could be the differentiator which sets you apart from your competitors.

Secondly, you need to ask some questions about the GDPR. For instance, is the GDPR new? Well yes, and no. The General Data Protection Regulation is the latest in a long line of attempts to define and protect personal data. If you read the GDPR and the Data Protection Directive side by side, you’ll be surprised at how similar they are. However, the former is more inclusive; it binds all members of the European Economic Area (EEA) to a common data protection regime, and requires a greater depth of governance.

By understanding the differences between the GDPR and its predecessors, it becomes clearer where, why, and if, any money needs to be spent. We can do this by taking the advice our wise old school teachers would have given, back when we were doing our GSCEs (or GCEs or CSEs), which was to “justify your answer”. The GDPR asks a series of questions; questions like “do you apply data subject rights”, or “do you manage personal data securely” etc… However, what it does, far more than any similar instrument, is caveat this with the follow up “justify it”. In the past you could simply state, “I store data securely”, or “of course I have consent to use this data”. You could even have rolled out a certificate or two and have been believed. Now, with the GDPR, you need to be able to roll out the certificates and crucially prove they actually do what you’re suggesting they do. A small change, but a seismic one nonetheless. With this small caveat, the EU is asking you to “do what you say you can do”, or in other words, to “walk the walk”.

This is potentially a goldmine for many people, who, well intentioned as they are, may be selling a great knowledge of the content of the regulation, but with little understanding of the practical implications. In these times, you need a trusted partner, one who knows the GDPR landscape and understands how data flows through a business. Once you have this input, then you’re in a position to understand what tools to implement in order to secure your data subjects’ data.


To find out about AiM’s GDPR services, including training, discovery reviews, interim DPOs and GDPR compliance technology solutions, click here.