Click to learn more about author Bruck Assefa.
Organizations are constantly at risk of paying a hefty penalty for not complying with rules and regulations that dictate how they should operate and do business. A recent research by the Ponemon Institute and GlobalScape entitled, “The True Cost of Compliance with Data Protection Regulations” concluded that the average cost of non-compliance is now $14.82 million annually (a 45 percent increase from 2011) and is 2.71 times higher than the cost of compliance. This means organizations are better off making the necessary investments on people, process and technology to comply with Data Protection regulations than incurring the cost of non-compliance.
It’s clear that the topic of compliance is broader than just Data Protection regulations and covers other global and regional regulations, industry-specific mandates and trading partner specific contracts. In this article, I’ll focus on a specific regulation that seems to be on everyone’s mind after its implementation on May 25, the General Data Protection Regulation (GDPR), and briefly discuss how an effective MDM strategy can be instrumental to facilitate an organization’s path to compliance.
MDM and GDPR
The GDPR fundamentally aims to protect the Data Privacy of individuals within the European Union (EU) and the European Economic Area (EEA) by giving individuals greater control over their personal data and how it is collected and used. This means organizations need to have strict control of the systems and processes that they use to collect, manage and share information about their customers, employees, suppliers and other parties that they do business with.
The reality, however, is that private data about individuals is fragmented across multiple departmental silos with each department collecting and using the data in its own way. This leads to some organizations even failing to identify whether private data residing in two separate departmental applications refer to the same individual, thereby seriously jeopardizing GDPR compliance. An MDM solution addresses this problem by providing a centralized application where Master Data related to an individual can be centralized, cleansed and cross-referenced to create a consistent representation of the individual across the enterprise.
Governing Collection and Use of Master Data
GDPR mandates that organizations processing personal data of an individual must disclose to the individual key aspects such as the scope of data collection, the purpose for data collection, the duration of data retention and if data is being shared with any 3rd party. If individuals agree to share their private data, the organization must ensure that the collection and use of it strictly abides by what the individual has consented to. This can be extremely challenging for organizations that do not have the tools and governance processes to pinpoint exactly where the data resides, when it was created, who has access to it and how it’s being used. Organizations with MDM, however, can address these concerns more effectively because MDM applications are fundamentally designed to automate, enforce and monitor such governance policies when it comes to Master Data.
One of the key value propositions of MDM is providing granular security on Master Data. Organizations can define functional security for a given user or role to control who can perform what function on an individual’s Master Data (e.g. create records, modify records, delete records or publish records). They can also define Data Security to control who has access to a specific data of the individual’s record (e.g. name, address or contact information).
MDM solutions also provide workflow capabilities to ensure only relevant stakeholders can create, modify, review and approve Master Data. With most MDM solutions also providing full audit trail capability, organizations can have full visibility into who changed what data and when as it pertains to an individual’s Master Data record.
Finally, MDM solutions are designed to streamline the sharing of relevant Master Data to different applications and business processes in their desired frequency and file format. This means organizations can control on an application-by-application basis what specific Master Data is shared, how it is shared and when it is shared for a specific business purpose based on an individual’s consent.
Right of Access and Right of Erasure
In line with the effort to give individuals control over their private data, GDPR also states that data subjects have the right to request and obtain their data collected by organizations (data processors) and in certain conditions also have their data erased. Again, when it comes to Master Data, there is no better place to generate a report in multiple common human-readable formats than an MDM solution where the individual’s Master Data is centralized. Similarly, a request for deletion can be orchestrated via a guided workflow where Master Data is deleted in the MDM application itself as well as all other business applications where the Master Data is shared.
Conclusion
Compliance with Data Privacy regulations is one of the pressing business imperatives for organizations, where non-compliance means significant penalties by regulators as well as lost revenue due to customer attrition. MDM needs to be at the forefront of what organizations consider to be part of their compliance strategy for GDPR and other Data Privacy regulations. MDM helps to centralize Master Data about individuals including names, addresses and contacts in a single application and apply data governance rules for the appropriate creation, maintenance, retention and dissemination of data.
It is important to keep in mind that MDM is not the full answer to GDPR compliance because Master Data is only a subset of the private information organizations may collect about individuals. Organizations need to think about employing enterprise level governance processes to deal with all types of private data they collect about individuals – MDM is just a key component to consider for an effective compliance strategy.