I concluded a previous post "GDPR - More Than Just Another Regulation" stating that the GDPR (General Data Protection Regulation) forces organizations to prioritize a long-due overhaul of their informational infrastructure.
In my understanding, a contemporary informational infrastructure is a system of people, processes and tools (software, hardware) that covers the five business disciplines represented in the image below whereas each level builds on the lower one(s).
Due to my observations, a vast number of organizations find themselves in the status where upper management hopes to advance level 4 and 5 to get the edge over the competition while business departments still struggle with the quality of level 3 due to a lack of foundation in level 1 and 2.
How does that relate to an organization's capability to comply with the GDPR?
The sole purpose of the GDPR is the protection of an individual's rights as the owner of their personal data. However, since personal data are at the core of almost any business and even any business transaction, the GDPR's provisions imply a certain informational infrastructure.
For example, GDPR grants any individual being in the EU ("data subject") a far-reaching control over their personal data records throughout the complete data life cycle with an organization, i.e. control over Create, Read, Update and Delete of their personal data (as long as it does not restrict the legitimate rights, liberties or legal obligations of other parties).
- Create: The creation of records requires the data subject's explicit consent or is necessary to perform a contract with the data subject [Art. 6 et al.].
- Read: The data subject has the right at any time to know the total scope of captured and stored metadata and values related to their personal data [Art. 15 et al.] and to exclude usage of their data from certain purposes [Art. 21 et al.]. On the complementary, the organization has the obligation to restrict the access to personal data on a need-to-know basis.
- Update: The data subject has the right to rectify [Art. 16] and/or to restrict processing of their personal data [Art. 18].
- Delete: The data subject has the right "to be forgotten", i.e. their personal data to be deleted upon demand [Art. 17].
Although the provisions of the GDPR do not explicitly mention any infrastructural measures as of level 1 and 2, it is obvious that the organization can only comply with the rights of the data subject (and fulfill its own respective obligations), if the whereabouts of the data subject's personal data are completely transparent at any time, i.e. if the organization employs
- a data model of the personal data (that shows all the references and physical storages of personal data throughout the organization) [prerequisite for rectification and deletion]
- a map that shows all the information flows of personal data (data flow diagram, process model) through the organization [prerequisite for information about the usage purposes and potential objection]
- a functioning Master Data Management system that maintains "golden" records of personal data (or at least keeps possibly multiple records in sync) [prerequisite for rectification and deletion]
- a functioning Data Governance system [prerequisite to comply with the GDPR in general]
Organizations should welcome the GDPR as they will profit from these measures far beyond the purpose of complying with this regulation...
Note: This post has been updated from an earlier version written before the GDPR entered force.