GDPR is a Business Capability

GDPR is a Business Capability, Not a Project Part 1

GDPR is a Business Capability, Not a Project

On the day the GDPR regulations came into force the UK regulator, Elizabeth Denham, told the BBC that enforcement would focus upon companies that “deliberately, persistently and negligently misuse data and that’s going to be the focus, that’s what people expect us to do”.  In the same interview she implicitly recognised that things were not going to be perfect on day one.

The head of IT at a financial services firm told Datavault that he expected minimal compliance at day one

The head of IT at a financial services firm told us here at Datavault that he expected to achieve minimal compliance at day one but wanted to follow up with a wider Data Governance project to improve the business’ long-term ability to manage personal data.

Some clients of ours are starting to ask their GDPR teams if they can take on the management of other, non-personal, data using the same disciplines as GDPR because senior management can see clear long-term benefits for their business if they can better manage their data.

Regulators too will be changing their guidance in response to technology developments, court cases, new threats, and emerging good practice

The reality is that GDPR is not going to be a one-off exercise but a journey. Pandora’s box is open. There are many ways to become GDPR compliant – from the minimal, no-frills implementation to a wider, data governance approach. What is considered good (or adequate) practice on day one will mature over time as business gets a better understanding of what works and what may or may not be acceptable to regulators. Regulators too will be changing their guidance in response to technology developments, court cases, new threats, and emerging good practice.

Given the moving picture, GDPR compliance may be better thought of as a business capability, perhaps a strategic capability. Forward-thinking organisations will want to develop and mature this capability to deliver its full potential for their business.

We believe (especially as organisations are now looking to extend the scope of GDPR practices beyond personal data) that GDPR is just a special case of Data Governance, and that what businesses should aspire to develop is a Data Governance Capability. What applies for GDPR applies to other data as well.