If you have ever been to the tropics, you will know that when it rains, it really rains. Bucketloads of water can fall in a very short period of time. But in an equally short period of time, all the water (usually) simply drains away, thanks to advanced civil engineering. What’s interesting is that everyone takes this for granted, and hardly spares a thought for the system that carries the water away, until it goes wrong. In other words, civil engineering and architecture have matured to the extent that environmental factors are not just responsibly taken into account when planning cities, but that everyone understands that this will be the case.
The same cannot yet be said about data management. The business case for data governance is still challenging and it does not routinely happen. But at the same time, even though this is the case, there is somehow a subtle assumption that data governance is like advanced civil engineering: It is in place, and will operate effectively. Nobody seems to see data as an asset, and it is often only when data management becomes a problem that anyone pays any attention to it. Next May, when the General Data Protection Regulation comes into force across Europe and beyond, could be one of those moments.
Monitoring GDPR compliance
Here’s a case in point, and I promise I’m not making this up. In my travels as a consultant, I get to engage with lots of companies at events. At a recent GDPR roundtable, someone mentioned that they are tracking all systems and privacy-related fields on a spreadsheet. A manual system, requiring ongoing updating, for something that important? My first reaction was horror, but then I realised this is part of a pattern.
Business leaders have a general view that the arrival of GDPR will bring benefits as well as challenges. In a recent study, for example, 71% said that their data governance would improve as a result of GDPR compliance. They expected to have a better understanding of the data they held, and therefore be able to use it more competently. Business — meaning competitive — benefits would follow, as they would know more about customers.
There is, however, a gap in the middle of that assumption. Experienced project managers sometimes talk about the ‘miracle box’: In many project plans, there is a ‘gap’ in the middle, between your inputs and outputs, where something undefined is going to happen that will turn your inputs into your outputs or outcomes. In other words, your project plan might as well say ‘At this point, a miracle will happen’, and inputs will be magically transformed by some alchemy. This is the miracle box, and it is surprisingly common, even in organisations that should really know better.
Will benefits magically appear?
Are organisations guilty of ‘miracle box’ thinking in relation to GDPR? It seems possible. There is little evidence of concrete thinking about how to ensure that compliance will bring benefits, or even thinking about what forms of compliance would bring which benefits. In my view, benefits will only accrue if the work is put in to align governance. Theory is no use without practical application.Benefits will only accrue if the work is put in to align data governance #GDPR Click To Tweet
For example, consider consent. Under GDPR, consent must be given for specific purposes. A generic consent, given once, is not enough. But many current systems do not gather information about the purpose of consent. And what about when the consent changes? What systems do you put in place to ensure that details are updated? These are difficult questions, it is true, but must be answered.
Opportunities and risks
In my opinion, monitoring using a spreadsheet is simply not going to deliver these benefits. Any organisation that thinks that this is the case is guilty of ‘miracle box’ thinking. But worse, they are both missing the opportunity to grasp benefits, and also failing to consider the risks of non-compliance. On the risk side, yes, for a while you might be able to get away with a manual approach. But in the longer term, you are running a serious risk, with very real consequences of major fines and reputational damage.
On the opportunity side, you are missing the chance to generate a genuine multi-channel strategy, enabling you to identify the customer across all channels. This would offer benefits to organisation and customer alike, in terms of tailored communications and marketing that fit the customer’s own expressed preferences.
Organisations need to start thinking about the content of their ‘miracle box’. Only genuine data governance and alignment will deliver the expected benefits from GDPR compliance.