In a world with rapidly increasing amounts of data, implementing data minimisation capabilities as part of data and records management is paramount. GDPR, initiated by the EU sets a high bar for personal data protection; consequently, companies need to understand how to deal with their data in order to meet the regulatory requirements.
Data is powerful – but only within legal bounds
We are in the era of data – and ever-increasing amounts of data are being collected, processed and stored every day. Today, most activities result in the production of some form of data, whether from a simple phone call, buying groceries online, or watching a movie on Netflix. Leading companies in data collection, such as Google, Amazon or Facebook, play a key role in shaping the era of data and have contributed to the spread of a now universally recognised dogma: data is gold.
When properly processed and analysed, data can provide valuable information that a company can use to gain competitive advantage. This explains why companies all over the world started collecting data from any possible source years ago. However, this huge bulk of data needs to be stored and managed in compliance with strict regulatory requirements. Personal data processing has become a top priority on many government agendas around the world. The EU initiated a new regulatory standard when it published the General Data Protection Regulation (GDPR), and it set a bar high for the update and review of most global personal data protection laws.
Under GDPR, companies must operationally cover their data management from three different perspectives: business (what data is processed for what purpose), IT (where and how is personal data processed) and third parties (to whom is personal data transferred). Many companies, both in the EU and in other countries such as Switzerland (new Federal Act on Data Protection – FADP), have adopted a risk-based approach for the implementation of compliance measures with the GDPR. Any organisation, regardless of geographical location, that collects or processes personal data on EU residents needs to comply with the GDPR. Non-compliance from such organisations has severe financial consequences.
Less is more
While for the last years companies have collected data according to the motto «the more the better», due to the enforcement of stricter data compliance regulations around the globe, this trend is slowly changing. Today, the tendency for many companies is shifting from mass collection of data to a more selective approach to data collection. Due to the risk of very high fines relating to data protection violations throughout the world – especially in Europe with GDPR – companies need to understand what data they hold, how they process it and what purpose it serves. However, most companies admit difficulties with fundamental questions of records management. Furthermore, many companies in Europe admit that they do not have a comprehensive data governance framework in place.
Moving beyond the regulatory requirements, the implementation of state-of-the-art data and records management presents company’s the opportunity to transform their core operations and culture into a digitally intelligent organisation. Thereby, data minimisation can play a key role in allowing companies to stay ahead of the curve.
The journey to data minimisation starts with the major task of understanding the system landscape and the IT-infrastructure. Challenges on the way to better data and records management include:
- Insufficient ownership of the IT landscape
- Dependencies on third-party providers
- Processing of physical data
- Processing of unstructured data
- Decommissioned applications
The benefit of a data minimisation initiative is data protection compliance, along with more targeted insights from data analysis.
First assessment, then action
Data protection regulations and data and records management are two dimensions that no business can afford to ignore. Depending on your company’s level of data protection compliance, there are several action points to consider. After assessing where you stand on your data and records management, you should reflect on the following questions:
- Do you have a clear view of your data and records management practice?
- Did you execute a data protection programme to ensure initial compliance with regulatory requirements (GDPR/FADP)?
- Do you have established a clear data governance including change management and roles and responsibilities?
- Did you implement automated deletion capabilities for personal and important business data?
PwC experts offer your company a tried-and-tested approach that leverages transformation capabilities to support you on your journey to data protection compliance.
For your own copy of PwC’s brochure «In the era of data protection, less (data) is more», please click on this link.