For many in the business world, the concept of Data Governance is fairy nascent, forced upon executives by the approaching EU General Data Protection Regulation (GDPR).
The notion is that, rather than data policy and subsequent privacy measures being the prerogative of IT bods, data is an asset that must be protected in the same way as any other that is fundamental to ongoing business success.
In the UK, in contrast to other EU member states, GDPR is a culture shock. The way British business approaches personal data is often laissez faire by comparison to our more privacy conscious neighbours on the continent, leading to a widespread lack of preparation. In fact, only 26 per cent of UK respondents to a recent Netapp survey say they have a good understanding of the approaching regulation, with less than a year till it’s implementation.
City A.M. caught up with Sheila Fitzpatrick, NetApp’s worldwide legal data governance & data privacy counsel, to discuss changing attitudes, and why business needs to start taking data governance seriously. An industry stalwart, she has thirty years of experience as an international employment and data protection attorney, and is considered one of the world’s leading experts in data privacy laws.
GDPR comes with some pretty hefty fines for failed compliance – 4 per cent of global group revenue, or €20m, whichever is higher. But Fitzpatrick says that, while substantial and plenty to drive data governance home to the c-suite, “more important is the reputational damage and the fact that consumers, and even employees, are starting to pay more attention – ‘what are companies doing with my data? What is my employer doing with my data? Why are you asking for that information?’”
More pertinent, she says, is the growing public awareness of how and why personal data is used and stored – one of the key components the regulation aims to address.
“The more the public becomes educated on their privacy rights, the more companies are going to have to take it seriously, because when push comes to shove, if I’m doing business with an organisation, I’m going to do it with the one that respects my privacy – that fundamentally believes in the right to privacy – versus one for which it is an afterthought.”
Read more: GDPR: Winning the Battle for Consumer Data
She says that in the digital economy, data is very often the greatest asset a company has. “But also, their greatest detriment can be data – so if they’re not treating it in accordance with the regulations and legal requirements, they’re going to have massive problems.”
But where should businesses start to shift their Data Governance culture to something more auspicious? “My hot button is when people think that data security and privacy are the same thing,” says Fitzpatrick. “Intertwined yes, but security is only one small component of privacy – of the overall management and collection of personal data – what they can and cannot do with it.
If I’m doing business with an organisation, I’m going to do it with the one that respects my privacy – that fundamentally believes in the right to privacy – versus one for which it is an afterthought.
Fitzpatrick tells me that the UK’s present approach to privacy mirrors that of the US to some degree. “There’s always been this importance of business, and the importance of driving business, and the need for data to provide services, and to develop technology or products. But there really hasn’t been as much attention around the fundamental right to privacy.”
She says that for the culture around data practices to change, business needs to first change the perception that data regulation impedes progress. “There’s a misunderstanding,” she says, “where organisations think that the UK Data Protection Act, for example, is a very restrictive piece of legislation. And it’s not. It has so many holes. But I think that it’s often viewed as an impediment to doing business, because we need data in order to run the business”. But, she chuckles, “if individuals say ‘well you can’t have my data’ – how are you going to run the business?”
The more impetuous businesses fall somewhere between paying vague attention to, and having total disregard of, the rights of private citizens. Those treating the data they possess as little more than numbers on a screen, with no concern for the people behind it, she says, will be dragged, kicking and screaming into the GDPR era.
“It’s going to force a different mindset into organisations,” says Fitzpatrick. “It’s going to force it,” she repeats. “I am a big proponent of GDPR because I fundamentally believe that the individual owns his or her personal data. And what scares me more than anything is the scope creep.”
She argues that the use of data beyond consumer expectations needs to be addressed. Businesses need data to support employee, customer and partner relationships, but being explicit in what that entails is paramount. “When I provide you with my business card for instance: I don’t expect you to then take that information and then put it into some global database, where anyone, anywhere in your organisation, can start using my data for unsolicited marketing and sales. It’s that misuse and abuse of the data that concerns me, and the lack of transparency.”
Tools and technology
I ask Fitzpatrick what steps businesses should take to comply with the upcoming overhaul of legislation, but before starting, she issues a warning about “misleading” offers of tools and technology.
“What tools and technology will allow companies to do, is maintain compliance with GDPR. But to obtain compliance – to actually become compliant – it’s a legal framework, a case of understanding what data you collect: why do you need that data? What is it being used for? What do your policies look like? How transparent are they? What consents are in place? I use the analogy of the house: you start with the ground floor, then you build the first floor. Tools and technology don’t come in until you get to the second floor.”
Elliott Haworth is business features writer at City A.M.