European Union: GDPR Will Force Us To Properly Govern Data

Last Updated: 19 April 2018
Article by Ramsés Gallego

With the arrival of the regulation, organisations must embrace greater privacy rights in order to handle data

Governance is a discipline beyond management, an overarching umbrella for the direction and approach leading to a greater future. You should govern an organisation, a company and – in our age – a data set.

The latest law relevant to that ethos, the General Data Protection Regulation (GDPR), will take effect on 25 May. But rather than being a mere technical checklist, it aims to foster a culture of data protection and information safeguarding. And we have to celebrate it.

It took the EU three and a half years to agree the privacy angle inherent in GDPR, but it now is a massive opportunity to encourage everyone to do the right things correctly for data collection, processing, retention, protection and governance.

Data harmony

GDPR harmonises and unifies 28 different member states under one law – with the UK government planning to maintain the regulation even after the country leaves the EU. Since the regulation is not a European directive, it will not have to be transposed into national law by every country. It is directly applicable.

It will mean investments in different dimensions, including technological and organisational ones, to ensure that sensitive data has been collected with explicit consent from subjects. For many companies, it changes the game. Privacy will not be treated as a privilege anymore, but more like a right.

Although GDPR is an EU law, it has international aspirations, since it has been created to protect Europeans and their data no matter where they live or work.

This is interesting, since now the EU might be able to fine companies that are not within its strict jurisdiction, as long as they are processing data about European citizens. It could even cause geopolitical tensions.

Be sensitive

It is vital to understand GDPR is not a security regulation but a privacy one. This is important, since we can have security without privacy, but we cannot have privacy without security.

There are explicit mentions of technology in the law, such as the need for encryption, and implicit references to many other technology disciplines, including identity management, access control, monitoring services, data anonymisation and cyber-risk training.

Consequently, there is an expectation from the Article 29 Working Party, an EU advisory body made up of the bloc's various data protection watchdogs, that companies use technology to protect and defend personally identifiable information (PII).

Many things are considered sensitive information, including names, addresses, dates of birth, video footage of an individual, membership to unions or associations, and even IP addresses which are used to identify computing devices.

Every company, organisation, and government institution has this sort of information and should know where it lives, who is touching it, for how long, and with whom it is shared, both internally and externally.

"GDPR explicitly mandates that organisations 'demonstrate ongoing compliance'"

You can see the data firm Cambridge Analytica's alleged unauthorised access of Facebook users' data as a recent example of a company losing control of data.

At the core of GDPR also sits the interesting concept of privacy impact assessments (PIAs). These are aimed at making an organisation understand what kind of information it manages. They can be summarised in the answers to five universal questions: Who is touching What, When, Where and How.

Also critical is that GDPR explicitly mandates that organisations 'demonstrate ongoing compliance'. For companies this is huge, since it departs from the idea of occasional scheduled auditing.

Ongoing compliance shows how good or bad an organisation's controls are in a given moment, and fosters the approach of being continuously compliant with the law.

An entity must have monitoring controls in place and fully understand the three natural states for data: at rest, in motion and in use. For GDPR compliance, it is fundamental to grasp where data is stored, when and where it is moving, and how and by whom it is being used – again, the five universal questions.

Command, control

The EU also flagged another aspect of governing a data set: the need for communicating when a breach has occurred, both to authorities and subjects affected. This could be a process nightmare when a data leak affects millions of citizens, patients, or customers.

Curiously, the law explicitly mandates that organisations must communicate a breach 'in 72 hours from the moment of knowledge of the issue'. This leads to the question of what happens if a company official did not know about the breach.

In this situation there would not be the obligation of communicating anything. But this does not let organisations off, since it may point to negligence and not having proper countermeasures that would have brought control and visibility around data governance.

By law, many organisations will have to name a data privacy officer (DPO). The appointment of an official being mandated by law is not new, but the way it has been approached deserves some attention.

GDPR explicitly orders that this official be 'independent' to do their job and report directly 'to the highest official of the corporation'. That is an interesting twist since it shows the obligation to not hide this important role within the hierarchy of the organisation.

From another view, this setup may also breed tensions between departments, since one is tasked with protecting information, while others, like infrastructure managers or systems directors, are less interested in the privacy aspects of their day-to-day tasks.

This is a clear example of the difference between management, which focuses on execution and running systems, and governance, which looks at the value of IT, the responsible use of resources, and risk management.

Race past the finish

It is important to remember that 25 May is not the finish line, but the starting point. Surveys from Symantec show that most companies will not be in good shape when GDPR comes into force.

This is a small tragedy, since the law will be enforced from that day onwards, and the Article 29 Working Party has confirmed that the date will not be extended. It is set in stone.

Even so, the opportunity for organisations to reinvent themselves in GDPR's wake is massive. The law invites them to design some processes almost from scratch and, most importantly, to define controls, policies, standards, and guidelines to fully understand the information lifecycle.

"The opportunity for organisations to reinvent themselves in GDPR's wake is massive"

In the 'cloud' era of remote computing, this is no small task. Organisations often use many different remote services, with different departments' choices creating other data governance problems.

Some of these services will have been accessed without the knowledge of the IT, risk, compliance or procurement departments. This approach is sometimes called 'shadow IT' or 'shadow data'. GDPR is aimed at avoiding these situations and educating everyone in the corporation on cyber risk.

Technological changes, when paired with organisational ones, have made it cheaper to encrypt information automatically when sensitive information is detected in a document.

Software can also trigger robust authentication for certain 'circles of trust' and embed security within the document, so that no matter where data goes access can be revoked.

Such an approach is at the heart of modern data governance, adapting and adopting mechanisms that provide control, visibility, protection and defence.

That is the overarching goal of GDPR and one critical aspect of the National Institute of Standards and Technology's governance definition, which includes strategy, tactics, risk management and the responsible use of resources.

Responding to this change is not going to be easy, but it is possible. At the very least, GDPR will force organisations to focus on their most important assets: people, data, users and information.

Ramsés Gallego is a strategist and evangelist at Symantec and past ISACA board director

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions