GDPR compliance the perfect opportunity to modernize data architecture
The General Data Protection Regulation is now the most comprehensive data protection decree in the world. Though chiefly drafted to empower residents of the European Union with the clear legal right to control the collection and use of their personal data, the GDPR effectively impacts companies worldwide that offer goods or services to individuals in Europe, monitor the behavior of those individuals, and collect and process personal data belonging to individuals from the EU.
To ensure that data collectors and processors know the EU is serious, the regulation includes serious penalties, including very substantial fines, for non-compliance.
While most organizations are focused on whether they are affected by the regulation, and if so, what they need to do to comply, they are missing the silver lining of the GDPR.
Specifically, because the GDPR’s provisions require affected companies to make significant changes in the ways in which they collect, store, process, protect, and even delete customer information upon request, most organizations will have to make significant adjustments and modernizations to their data architectures in order to comply with the regulation.
There are a number of ways in which organizations can address the GDPR’s requirements. However, if companies take this opportunity to modernize their data architectures by implementing a data-centric model, they will not only be able to comply with the GDPR, but will also be positioned to comply with additional regulations in the future without having to undertake major initiatives every time something changes. Equally important, they will become more agile in their product and service development and rollouts, and more efficient and effective in their ability to respond to market trends and competitive threats.
Organization’s Information Architectures “A Mess”
The desire to improve organizations’ information architectures by moving to a data-centric model is something that’s been on the minds of many of us in the data architecture and management world for a number of years. In fact, several years ago a document called The Data-Centric Manifesto was published and captured much of what was being discussed. A couple of statements in that document particularly and straightforwardly summarized what many of us already knew.
First, “The Information Architecture of large organizations is a mess.” Additionally, “A root cause of the messy state of Information Architecture in large institutions today... is the prevailing application-centric mindset that gives applications priority over data. The remedy is to tip this on its head. Data is the center of the universe; applications are ephemeral…We believe that the current Enterprise Information System paradigm, centered on applications, with data as second class citizens, is at the heart of most of the problems with current Enterprise Systems.”
This is a nice summation of the challenge data consumers face in accessing the data they need to produce the kinds of insights that drive innovation. Although many of us have known that placing data at the center of the IT universe made sense and could effectively erase this challenge, we also faced the frustrating reality that there’s never a good time for making fundamental changes in IT architectures. However, since we have no choice but to comply with the GDPR, we finally have just the opportunity we need to address GDPR compliance while simultaneously modernizing data architectures by adopting a data-centric approach. It’s a truly unique moment that we should not waste.
How To Get Started
Moving to a data-centric information architecture and complying with the GDPR may seem unrelated at first glance, but both clearly recognize that data is critically important. In fact, both the rationale for data-centricity and the GDPR are based on the fact that data is central to organizations’ ability to function efficiently and properly and that without proper management and processes in place, there will be a significant, negative impact on the enterprise.
Application-centric data management limits organizations’ abilities to be agile, innovative, productive and cost-effective because the data management capabilities have to be replicated in every single application. A platform-centric approach to data management is limiting as well since there are multiple platforms in any enterprise.
The advent of the GDPR provides organizations a great incentive and rationale for revamping their information architectures by building a stack that places data at the heart of their enterprises. By adopting a data-centric approach in which all enterprise data can be managed using a common framework that can work with a variety of data stores and support a variety of workloads, organizations will become much more efficient and more likely to identify insights that drive innovation.
You should begin considering adopting a data-centric approach to data management by thinking about data as assets and managing them as such. To do so, your organization will need to build or adopt data management technologies that give you the ability to be agnostic to applications and data platforms. That means, among other things:
- Cataloging data in a manner that is agnostic to data platforms
- Centralizing the way you define and enforce authorization
- Employing a consistent method of anonymizing and obfuscating data across different platforms, regardless of who and how the data is being accessed
- Implementing a distributed data governance process that maps to the data owners governing and managing their data assets
- Gaining continuous visibility into the activity around the datasets from all data platforms in the enterprise
- Managing the lifecycle of data across multiple data platforms
By taking these steps, organizations can start to manage data in a more data-centric manner, which will provide more flexibility and agility in the way they work with data.
Returning to the issue of GDPR, complying with the regulation’s stringent rules on how customer data must be handled, protected, and made available to data subjects on demand is close to impossible if organizations do not modernize their information architectures around data.
In the absence of a data-centric model, data is scattered around enterprises making it extremely difficult and time-consuming to find users’ data trails, provide customers access to their personal data, and to enable users to be forgotten upon request in the short period of time allowed by the GDPR. So, you see, complying with the GDPR and adopting a data-centric information architecture are, indeed, related.
It’s not often in the IT world that you have an opportunity to make major changes and improvements in your information architecture -- changes that make your organization more agile, innovative, efficient and cost-effective while enabling you to comply -- efficiently and accurately -- with the GDPR and all of the other laws and regulations that currently exist and that will be created in the future.
As someone who has worked in the technology world for many years now, I can say that opportunities like this do not come along too often. My advice is to seize this one without hesitation.