Good data governance provides your company with reliable value. Likely so, a laissez-faire approach to data policy is likely to deteriorate your data’s reliability, your company’s competitiveness – and your overall revenue. What, then, defines good data governance?
European Data Protection Congress 2017 in one lesson
This question was a central theme at the International Association for Privacy Professionals’ annual Europe Data Protection Congress in Brussels, earlier this month. Amidst its speakers were several prominent figures from the academic, public, commercial, and legal arenas. These included the European Data Protection Supervisor, the NSA’s Privacy & Transparency Officer; security and privacy directors of IT giants such as Facebook, Microsoft, and IBM; as well as leading legal figures from renowned law offices and academia.
So, what brought all of these perspectives and interests together? No matter the differences in expertise and angle, each session repeatedly taught he same fundamental lesson: the GDPR is to be considered an opportunity to enable proper data governance in an atmosphere of responsibility and accountability.
State-of-the-art data governance
These values of responsibility and accountability are translated into explicit requirements in the GDPR – in particular Transparency (Article 12) and the rights of data subjects (Articles 13 to 22). These articles can be considered providing ‘active rights’ in the sense that those from whom the data originates (‘data subjects’) may actively pursue these rights with the the data controller. The data controller must comply of course. The GDPR was designed so that that any organisation within its scope must guarantee the rights of the data subjects.
This leads to the interim conclusion that modern-day data governance encompasses not only the processes of data collection and processing. It must also stipulate an up-to-date accountability framework, while keeping track of the goals, legal grounds, and protective measures (the ‘what, why and how’) related to all processing.
What is interesting is how compliance with these data subjects’ rights also actively protects the data controller’s own interests. Time to take a closer look.
First phase: the ‘absolute’ right to access
Any natural person who believes that a data controller is processing his or her data, can ask the controller whether that is indeed the case. If so, the data subject has the right to access this data. The controller provides this data, and must also inform the data subject on the purposes of processing, the categories of personal data being processed, for how long the data is kept, to whom the data may be disclosed, whether or not profiling is done, and the possible consequences that it may have on the personal life of the data subject. Moreover, the controller is also in charge of notifying the data subject on its other rights.
Second phase: Killing two birds with one stone
After having accessed its data, the data subject has some options. S/he may just leave things as they are. Alternatively, s/he may invoke other rights. To highlight the importance of good data governance, we emphasize the right to erasure and the right to object.
Right to erasure
The data subject may invoke its right to erasure, perhaps better known as the ‘right to be forgotten’. Indeed, when granted, all personal data of the data subject must be erased by the controller. However, this does not mean that the controller must comply with such a request right away, at all times. The right called upon by the data subject is not an absolute right; it must be balanced against other rights and interests. This is why, as a controller, it is of vital interest to have one’s data governance up-to-date. Let’s see how this works out, using two contexts as case-studies.
Context 1: Data subject rights v. data controller interests
Before it can be executed, the right to erasure must be balanced against the interests of the data controller. The right to erasure can only be invoked if the personal data are no longer necessary in relation to the purposes for which they were collected or processed, or if the processing happens unlawfully, or if erasure is required by another law. This means that the controller may have compelling reasons (legitimate interests) which allow it to continue processing. Even when the processing happens on the basis of the data subjects’ consent which it then revokes, the data will not be simply erased if there is another legal ground for its processing.
Context 2: Data subject rights v. other fundamental rights
The right to erasure cannot be executed when the processing is necessary to exercise the right of freedom of expression and information. Also, when the controller processes the data to comply with other legal obligations, or when processing is necessary for reasons of public interest in the area of public health, the data may not be erased.
Right to object
Another fundamental, but non-absolute right of the data subject, is the right to object to processing of his/her data. One precondition applies: the legal ground for processing must be either the controller’s legitimate interests, or the performance of a task carried out in the public interest or in the exercise of official authority, vested in the controller. In other words: if the data subject has previously consented to the processing, s/he cannot simply object. S/he must then walk a different route, starting with the revocation of his/her consent.
Balance: interests, rights, and freedoms
If the data subject objects processing, the controller must stop this processing. However, if the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, it may not have to do so. Again, this is a matter of balancing rights and interests, and of preparation.
If this preparation is not in place, each request will probably result into a temporary ‘restriction of processing’ until more clarity is obtained – risking either non-compliance or damaged interests. However, if the controller has a proper preparation and documentation of all its processing activities, it knows whether or not to comply, wholly or in part, with the requests it receives, as well as the legal, financial, and operational consequences.
Good data governance
Good data governance enables transparency while preparing and protecting your organization against uncertainty within the legal, financial, an operational domains. Careful preparation and documentation of the rights of your data subjects has many advantages.
Good data governance:
- guarantees your data subjects’ rights (and associated reputation increase/decrease);
- protects you as a data controller from unjust attempts to restrict your data processing activities (which may even make you lose your compliance with other laws);
- provides an overview of your processing activities, its values, and its financial, legal, and operational consequences.
Preparing your organization for a future of sustainable data management is only sensible. If you like a free-to-use indication of your current status, check out our GDPReadiness Assessment.