Expert Interview (Part 2): Paige Bartley on Data Lineage, Data Quality, and Data Availability in GDPR Compliance
In this expert interview series, Paige Bartley, Senior Analyst for Data and Enterprise Intelligence at Ovum, discusses the state of GDPR readiness, and how data quality, data availability and data lineage play into the GDPR compliance landscape.
Part 2 weighs in on the role of data lineage, data quality, and data availability in GDPR compliance as well as the level of enforcement that we should expect after the deadline.
What role do data lineage, data quality, and data availability play in GDPR compliance?
Data lineage, data quality, and data availability are inherently linked to GDPR via several mechanisms.
When it comes to data lineage, article 30 of GDPR details the requirements for records of processing activities on personal data. This entails requirements for maintaining records of the purposes of processing, records of data transfers to non-EU locations, and records of who the data was disclosed to, among other requirements. While data lineage is never specifically mandated in the text of the regulation, lineage is critical to understanding how data was handled, who it was handled by, and where it was handled. Data lineage, when tracked at a granular level, can provide the means for automated reporting that can fulfill Article 30’s requirements. Furthermore, it can provide the enterprise with a mechanism for Article 31 requirements for cooperation with supervisory authorities; when the organization understands every action that has been taken on a given piece of personal data, it is much easier to communicate with supervisory authorities and demonstrate that compliance has been maintained throughout the data handling process.
As for data quality, data quality is neither solely a direct product of GDPR compliance nor solely a direct driver of GDPR compliance. Rather, data quality is the result of a positive feedback loop between compliance efforts and preexisting data management initiatives. Good initial data quality will help in GDPR compliance initiatives because it means that data subjects will have less opportunity to invoke their Article 16 right to rectification – or correction – of data. But GDPR compliance, by virtue, also helps increase the quality of new data collected. GDPR compliance and explicit consent practices mean that the data collected under the regulation will largely be voluntary and accurate. GDPR is an opportunity to build trust with consumers, and trusted relationships yield more relevant and accurate data relative to the opt-out consent model which collects data opaquely. So data quality is both a driver of compliance as well as a product of it.
For data availability, it’s important to understand that GDPR is not a technical regulation by nature. It focuses more on process, and names very few explicit technical requirements. This is by design. If the regulation were built around specific technical capabilities, it would quickly become obsolescent, as technology evolves much more quickly than policy. However, data availability, which is relatively unique amongst technical capabilities, is cited directly in GDPR as part of Article 32’s requirement guidelines for the Security of Processing of personal data. High availability of systems, while not absolutely mandated, is highly encouraged for GDPR compliance.
How rigid do you expect GDPR enforcement to be after the deadline? Do you think regulators will focus only on major violations and big companies, or should everyone be worried about even minor deviations?
Initial enforcement will likely focus on prominent, high-margin organizations that use data monetization as their primary business model. The regulatory bodies have only so many resources for audit and investigation, and they are likely looking to “make an example” of a household-name organization that processes personal data at scale as a fundamental part of their business. My intuition is that the EU will likely seek to pursue initial enforcement against a non-EU business, to underscore the point that the regulation is global in its reach.
This isn’t to say that smaller firms or minor deviations from compliance will be let off the hook. The regulation allows robust mechanisms for data subject to legal remedies against data controllers and processors which have run afoul of the regulation. Article 79, in particular, guarantees the right to effective judicial remedy against a controller or processor, opening the door to class-action lawsuits.
In this sense, consumers can become the eyes and ears of the regulatory bodies, taking legal action against any firm that they feel has not properly protected their personal data. So while the supervisory authorities may not initially set out to enforce against smaller firms or minor infractions, there is always the possibility that regular EU citizens may lodge a complaint or initiate legal action against a firm that they feel has mishandled their personal data.
Be sure to tune in for the final installment when Bartley speaks about the difference between the technology and process in the GDPR and how it can potentially inspire other regions to create regulations of their own.
To learn more about GDPR compliance, read our eBook: Data Quality-Driven GDPR