FTI has an article in the recent edition of Raconteur called GDPR: a business-critical enabler for CIOs. One paragraph from it effectively summarises the rest. Talking of the General Data Protection Regulation, now only 13 months away, Sonia Cheng of FTI says:
“It is a major catalyst for change. The GDPR makes you ask questions such as what kind of data do you have, why do you have it and where does it flow? It will also provide the foundation for other services, including revenue generation and better customer service, as well as dealing with security breaches and preparing for cyber attacks.”
There is no running away from the fact that the biggest teeth in the GDPR are the potential for very significant fines for breaches of its wide-ranging terms. Sonia Cheng’s paragraph quoted above, however, reminds us that there are opportunities here both to remedy past omissions and to look for new revenues and new clients.
Questions like “what kind of data do you have, why do you have it and where does it flow? are ones which many organisations have ducked over the years because answering them does not appear either to increase the top line nor to reduce expense. It has been hard, in other words, for Chief Information oOfficers to bid for budget to remedy omissions which don’t affect profit.
In practice, quite a lot of cheating goes in to the ROI question. Many organisations seem to lack any means of accounting for the expense of discovery / disclosure exercises; if there is no central tracking of these costs then they either fall on a legal budget which has become resigned to them or is distributed among the departments responsible for the event giving rise to the discovery bill. Although things are changing in this regard, many organisations seem not to differentiate between the pure legal costs and the rising cost of finding data needed to meet disclosure obligations.
Subject Access Requests are a specific example of a burden which can be expensive but which is often distributed across an organisation and therefore not treated as a single problem worth spending money on.
The article uses the expression to “build cross-stakeholder awareness” and “the cross-stakeholder nature of the problem”. One of the fundamental issues has been the distributed nature of both burdens and budgets, with no one group or department in a position to build a case for investment in a solution. What if they were to compare notes, as it were, and to think in terms of pooling resources to invest in solutions which are equally attuned to both the urgent reactive demands of compliance and the proactive anticipation of them, coupled with the control of the data which causes the real problem?
Government provides a good example of this. I have referred before to recent articles about Whitehall waste, as government spends money year after year addressing the same issues because staff turnover and the oscillation of policy demands conceals the fact that the work has been done before (here is one such article, from the Times; only the first few lines are visible to non-subscribers, but you easily get the drift of it).
One of the points made in the FTI article is that the technology needed to deal with compliance obligations, information governance initiatives and discovery is improving all the time. The GDPR provides a good reason to revisit the scope of these solutions and the consulting services which are wrapped around them, and to re-evaluate the ROI.
I have already written about an FTI webinar due to take place on 18 May called Using information governance strategies to prepare for the GDPR; Sonia Cheng is one of the participants in that.