February 06, 2018 by Frank Golda
Guest introduction:

Mr. Mohit Sahgal is the VP of Analytics of Paradigm Technology. He is an accomplished senior executive with decades of management consulting expertise. Mohit has held various leadership positions including Senior Executive at Accenture, Partner at IBM, Partner at Capco, and Executive Director at Ernst & Young LLP.

Mr. Sahgal is also a published writer, having provided articles on information management to industry journals like American Banker, Information Management, and BI Review.

Mr. Sahgal LinkedIn profile can be found here: https://www.linkedin.com/in/mohit-sahgal-9090264/

My questions, Mr. Sahgal’s answers:

This conversation between Mr. Sahgal and I was sparked by an article that was posted on www.information-management.com. The article predicted that GDPR is the new Y2K.

  • Question: Mr. Sahgal, is GDPR the new Y2K?

Answer: Short answer is “No”. Reference to Y2K may be suggested because of the magnitude and invasive nature of the systemic changes. Having been part of several Y2K initiatives, I can report with certainty that GDPR is completely different for at least the following reasons.

GDPR:

1) is regulatory driven;

2) addresses personal and sensitive data;

3) requires the appointment of a Data Processing Officer to represent the organization to potentially several data protection authorities;

4) requires managing consent for processing data;

5) requires managing certain rights a subject may invoke;

6) requires demonstration and documentation of the lawfulness of the data processing;

7) requires the deletion of subject personal data if requested;

8) involves written contractual agreements to move or transfer personal data between entities; 9) may result in significant fines for non-compliance;

10) requires a data governance program, including on-going risk and communications management to address all of the proceeding requirements.

Y2K had no such requirements. And lastly, dissimilar to Y2K, failing to address GDPR is unlikely to break any systems.

  • Question: What is the correlation between data governance and GDPR?

Answer: A data governance program is essential to address GDPR. Collection and security of personal information online now has changed to move with the times, that is why GDPR and pii compliance must be addressed when possible to make people aware. Chapter IV, including Articles 35 through 43, mandate requirements for a Data Protection Impact Assessment (as an on-going activity), Data Protection Officer, and Codes of Conduct / Certification. These Articles outline the requirements for processing, organization, and accountability to improve data protection. In addition, Chapters VII and VIII require processes to communicate with various EU authorities, and address inquiries and actions that may be taken.

  • Question: Will Data Governance and GDPR effect organizations digital transformation? How so?

Answer: Digital transformation programs typically involve improving customer experience and intimacy. As a result, programs that impact an organization’s business in the EU, or impacts the control (Article 24), processing (Article 28 and 29), or transfer (Chapter V) of EU subject personal or sensitive data anywhere (whether in the EU or not) are impacted by GDPR. B2C scenarios are easier to understand, but B2B organizations are also impacted if they hold and process personal / sensitive data (such as first name, last name, email address, mobile phone number, etc.) of a business contact. The most common example of B2B processing is email notifications, such as marketing campaigns. Like with all such regulations in-progress, certain exceptions apply, and each organization should review the Articles in detail to assess liability. In general, consent should be obtained for contact, but avoid overuse.

My Takeaways:

Takeaway #1: GDPR seems to be a lot more serious that we are led to believe. Especially since, today, GDPR comprises 99 articles and 170 plus recitals that require some degree of treatment for businesses.

Takeaway #2: Plan to appoint a Data Protection Officer (DPO). If you have yet to appoint a DPO, be sure to have one in place before the GDPR deadline on May 25th, 2018. They will be able to help get your company on the right path for compliance.

Takeaway #3: Be aware of what noncompliance could result in fines. Chapter VIII, Article 83 addresses the different types of fines. Fines could be up to 20 million Euros/24.8 million US dollars or 4 percent of annual global turnover, whichever is higher.

Afterword, Mr. Sahgal told me that a lot of companies have still yet to comply with GDPR. Many believe that the regulation may not apply, or it will be unenforceable. Please comment below and share your thoughts.

Paradigm Technology is a strategic consulting company serving the banking, airline, manufacturing, high-tech and retail marketplaces. We utilize innovative business and technology solutions to help clients enable their digital transformation programs, and improve their Analytics, Cloud, Master Data Management, and Project Leadership solution delivery. Paradigm is ready to support you in your GDPR compliance journey. For more information about Paradigm Technology and GDPR, email [email protected] or visit us at www.pt-corp.com.