GDPR Noir: A fanciful account of a CDO’s encounter with the EU’s newest data regulation
Follow a streetwise Chief Data Officer (CDO) as he walks the beat and tries to understand the mystery that is GDPR (the General Data Protection Regulation). Like any good detective, he uncovers the facts about the new regulation and relies on a colorful cast of characters to help him overcome the challenges he is facing. But watch out! As our intrepid CDO learns, having the answers isn't all it's cracked up to be.
It was a balmy Tuesday afternoon and the papers on the desk had piled up nearly as high as my stress level when I heard a knock at the door. In walked Jane, my CEO, a business-savvy, non-nonsense woman with a penchant for asking the questions you didn’t want to hear. She said she was looking for someone to take care of the data, now that the GDPR had passed. That’s General Data Protection Regulation for those not in the know. Fortunately for her, as CDO, data was my racket. I’d spent years perfecting the craft of getting data to the right people and using it to make the world a better place.
But now, I was facing the biggest challenge of my career. If I didn’t help the organization find a way to comply with the EU’s new policies by the 25th of May, 2018, we were going to be in trouble.1 Big trouble. The kind of trouble that costs you 20 million euros or 4 percent of annual worldwide turnover—whichever is most costly.1 The kind of trouble that encourages regulators to take a keen interest in all parts of your business and drop by on occasion just to see how things are going. It gives me chills to think about it even now.
I thanked Jane and told her I’d have some answers within the week—a big promise I was hoping my wit and determination could help me keep.
I knew that my first stop had to be Sam’s place. Sam was our CIO—a wiry, bespectacled man, whose face and demeanor suggested he’d survived more boardroom storms than any man should. More caffeine than man at this point, I knew I could rely on him one more time to give me the scoop on all the new regulations that would be coming in.
Sam seemed disturbed by my appearance, said he knew what I was there for—GDPR had been sending a panic through even the biggest organizations. We were no exception. I asked him for the facts and he gave them to me:
- The new rules applied to any organization that “operates in the EU market or processes the personal data of EU data subjects.”2, 3
- Data subjects would have the right to access their data and know how it’s being processed.2, 3
- They’d also have the right to make their personal data disappear from your organization permanently – a so-called right to be forgotten.2, 3
- If some low-life crook caused a data breach we’d need to report it within 72 hours and notify the folks whose data may have been compromised.2, 3
- It’d be even more difficult to demonstrate that people had given us consent to process their personal data – requests for consent have to use plain language and people have to be able to easily withdraw it too.2, 3
- We’d have to be able to demonstrate compliance in a number of ways.2 ,3
I asked Sam how he knew all this and he pointed me to two resources. The first was the eugdpr.org website. The second, an IBM white paper called Planning for the General Data Protection Regulation. I made a note to check both of them out and left Sam to go about his business.
But Sam’s comment had reminded me of an old buddy who worked for IBM. She had helped me out of a jam more than once with the timely integration of a new solution. If anyone could help me find a way to get ahead of the regulators, it was her.
I rushed back to my office as fast as my feet would carry me and grabbed for the phone. A short spin of the rotary dial later and I was talking to Nicole, my contact inside IBM. I told her I was in a pickle – I could see trouble on the horizon and I needed to get up to speed with GDPR fast. Thankfully, she said she had just the answer and that there were a few different things that might help me get out of this situation.
First, she told me I had to get rid of the ROT in my company. I balked, we might not be up to speed yet but we weren’t corrupt. But then she spelled it out for me—R.O.T.—data that was redundant, obsolete and trivial. Seems like Information Lifecycle Governance could help us defensibly dispose of that unneeded data. It could also give us insight into some of the unstructured data lurking around our office, helping us manage and enforce policies consistent with GDPR.1, 4, 5
Second, she said I’d want to look into Master Data Management to give me a single source of the truth and Information Integration and Governance to increase my confidence in the data with data lineage exploration and management. That way I could identify what personal information I had and where the most important data resided.1, 4, 5
Then, she warned me to make sure I had good security solutions in place. We’d need to have top-notch internal and external network defenses ready. Incident response capabilities and security restrictions would be important too.1, 4, 5
She finished by letting me know there were people standing ready to lend me a hand—a team was conducting IBM GDPR Quick Starts which helped identify and assess what would be impacted by the GDPR in an organization.1, 4, 5
With this information in mind I said my goodbyes and told her to expect another call soon. I put down the receiver with a soft thud and went about my work. It wouldn’t be easy, but with some hard work and a little bit of luck I’d have everything prepared for my meeting with the CEO.
Friday morning came early. My stack of papers was a little taller and my stress level a little lower. I heard a sharp knock on the door and took a large swig of my coffee to prepare before yelling for my CEO to come in. But there was no need, Jane had already entered and taken a seat before the words left my mouth. I quickly passed her the documents I had compiled for the GDPR project and watched as she took a moment to peruse them. I waited for her reactions as she flipped through the pages for Information Integration and Governance, Information Lifecycle Governance, and Security Solutions. With everything seemingly in order she allowed a rare smile to cross her face as she stood up. As she turned for the door again, she made one final comment: “Good, make it happen.” I suppose the work of a CDO is never done. Then again, I wouldn’t have it any other way.
This fictional story is intended to provide friendly and helpful advice only; it is not a definitive statement of law
- IBM. "General Data Protection Regulation (GDPR)." GDPR (General Data Protection Regulation) - IBM Analytics - United States. IBM, n.d. Web. 13 Jan. 2017.
- “Panning for the General Data Protection Regulation” White paper. IBM. November 2016.
- "Key Changes with the General Data Protection Regulation." EU GDPR Portal. N.p., n.d. Web. 13 Jan. 2017.
- Yelland, Bob. “’How it Works’ GDPR”. eBook. IBM. 2016.
- General Data Protection Regulation - GDPR Masterclass: Reality Bites. Perf. Janaka Alwis, Gregory Campbell, Dr. Philip Thomas, Amir Jaibaji, Monique Altheim. GDPR Masterclass: Reality Bites. IBM, 22 Sept. 2016. Web. 13 Jan. 2017.