So far discussions on Data Governance was restricted to the Big Data players. The Data Security professionals were more focussed on “Data Security” and everything else took a secondary place.
In organizations pursuing GDPR compliance, the DPOs became key senior executives reporting directly to the CEO and called all the shots when it came to inter departmental conflicts such as whether a new client or process has to be onboarded.
Slowly the Data Governance is regaining its voice and now discussions are on about how Data Governance and Data Protection should co-exist.
The Data Governance approach is basically to look at “Data” as an “Asset” of an organization. In management parlance, any asset may be bought as raw material, converted into a finished product and re-sold. The “Value addition” which maximizes the finished product price realization and reduces the cost of inputs is the responsibility of managers. The “Productivity” of every production parameter as well as the “Raw Material itself during the processing” is the key focus of the data managers.
Since every asset of the Company has to be protected from loss or pilferage, it was necessary to consider “Security of Data” as one of the parameters that the Data Governance Manager was expected to consider as part of his responsibility.
Even if the “Security” required was of the highest order, the productivity of the “Asset” was still the key and “Security without Productivity” was not the preferred objective.
However, when Data Security professionals came to rule the corporate decision making, there was a new found empowerment to the data protection professionals some of whom might have considered overplaying their part because the GDPR imposed blinding fines.
The discussion was therefore whether “Security at all costs” even with lesser productivity of the asset was the way to approach the Data Security and Data Governance functions.
The CEO therefore had a new problem of balancing the two functions and ensure the business interests of the organizations.
Though as consultants, we did emphasize that there was “Legitimate Interest” of an organization that could be considered while adopting the stringent data protection regulations under GDPR, soem consultants coming entirely from the legal background were paranoid with the regulatory aspect that the “Legitimate Interest” was very much diluted. Some of the Supervisory authorities including perhaps ICO of UK also supported some impractical views of how to interpret the Data Protection Principles.
Some ill informed activists even sent disturbing e-mail notices to Indian companies when legitimate business contacts were made bringing the debate of how much the “Business E Mail” could be considered as ” Personal Data”.
The ensuing debate on Data Governance has to once for all settle the issue of whether Data Security is a subset of Data Governance or it is the otherway round or whether both are to be considered with equal weightage and managed.
One question that will be asked is whether personal data can be sold under GDPR if there is a consent?
We will be discussing more of this in the coming days….
Donot forget to attend today’s FDPPI webinar on Data Governance at 5.30 PM on Zoom. Contact for invitation.