GDPR for data managers

GDPR for data managersGDPR offers new, great opportunities for data managers

We are only a few weeks away from the European Union’s General Data Protection Regulation (GDPR) coming into force. GDPR’s main objective, as stated by the European Commission, is to drive data protection excellence to reinforce consumer trust in the digital economy. This means giving the power back to the individual by allowing them to define precisely what may or may not be done with their personal data. «Data blank checks» will not be possible anymore.

The new regulation will change the way companies manage their data – and data managers will play a central role in its implementation. With its strong emphasis on transparency and consent, GDPR will offers, great opportunities for data managers to initiate and drive ambitious data governance projects and push for an overhaul of applications and data architectures. The regulation offers a strong compliance argument, which will make it easier for data managers to get management on board.

GDPR Capability Model by the CC CDQ

The GDPR Capability Model developed by the CC CDQ over the course of 2017 helps data managers identify areas for action and structure projects and initiatives. The model builds on a review and interpretation of legal texts, official guidelines, and industry practice reports. It was validated during break-out sessions and in bilateral projects. The model provides an action oriented view of capabilities that need to be built up and established in order to comply with GDPR’s set of requirements. The capabilities refer to both processes (e.g. handling access requests or documenting processing activities) and technical measures (e.g. data identification or data removal). They feature legal references and a description of implications, which data managers can use to communicate their ideas to a broader audience.

The model assists data managers also in identifying (re-)design areas and, with the help of a maturity assessment model (the development of which starts in March), monitoring progress. As we will continue to investigate the topic in 2018, we will be holding break-out sessions revolving around key concerns in implementing GDPR (e.g. consent management and data classification). The sessions will also feature best-practice presentations.

GDPR at a glance

GDPR requires from organizations to consistently document:

  • the personal data they hold of their customers (i.e. the scope – e.g. list of recorded attributes),
  • how the data was acquired (i.e. the origin – e.g. online form or e-mail),
  • how it was and is processed (i.e. the modalities – e.g. advanced analytics),
  • to what end it is processed (i.e. the purpose – e.g. targeted marketing),
  • and who it is shared with (i.e. the transmission – e.g. third parties, such as cloud service providers).

This information must be available for disclosure to authorities (describing an organization’s overall data processing practices) and individuals (e.g. when exercising the right of access) alike and at any time.

Organizations must also overhaul the way they seek consent for processing personal data of their customers, and make sure that consent can be renewed or withdrawn. Consent requests must be presented separately from general agreements, use simple language (i.e. legal and technical terms must be avoided), and feature visuals/pictograms, if possible. Consent to non-essential processing activities must be proposed as granular, opt-in items (e.g. one unticked box per processing activity in the case of an online form). Finally, organizations must document when and how consent was given.

Consent obtained before GDPR’s coming into effect remains valid only if the organization can prove it was obtained in compliance with the aforementioned principles. In the specific case of digital marketing, the following alternatives should be considered:

  1. If newsletters are sent following a business transaction, and provided that opt-out mechanisms are in place, there is no need to refresh consent.
  2. In other cases (i.e. if consent was not obtained in accordance with GDPR’s principles or was not explicitly documented), it must be refreshed before sending any more newsletters.

For any inquiry, or if you would like to take part in one of our sessions, please contact Clément Labadie. We especially encourage our CC CDQ members to submit their «burning questions», which will be discussed in the break-out sessions
Go to top