Belgian national TV channel VRT NWS* has conducted a survey with Belgian companies, stores and institutions in order to check if they comply with the data subject’s right of access as well as to check the legitimacy of the personal data processing. 83% of the organisations responded, however only 7% of the answers where compliant with the law. Shockingly, 10% never replied.
If you’ve read our previous articles about the Rights of Individuals, you already understand that the General Data Protection Regulation (GDPR) requirements cannot be answered with a simple « processing register ».
As a matter of fact, this register generally includes a « simple » business description of the data and their processing : the data values or their multiple localizations are never included and therefore cannot produce what is called an « individual register » gathering the whole data, processing and applications that are linked to an identified person.
Here we are at the 4th post in our series on data governance.
The objective is now to ensure that :
- the technical operations and implementations comply with the rules – internal or external - of the organization (see our first post The 5 keys of data governance : Part 1. The rules) ;
- what has been enforced is not going against the goals of the organization.
The scope of the GDPR
By applying the rights of persons, the GDPR grants the consumer/citizen a right to information, control and object as to the use of their personal data by private and public businesses. In this context, it's important for the consumer/citizen, as well as for businesses, to understand the underlying principles (see the first post of this series), the necessary implementation and the tools to use.
Personal data : an enduring misunderstanding
A great deal of enterprises consider that the data they collect and store are their « property ». Regarding personal data, of course it's not true.
As a matter of fact, in the data world, you must distinguish the « container » from the « content ». Companies own the containers and processings, but the contents are and remain the full and whole property of those who are at the origin of the data.
The set of data of all types that are collected and stored every day by the various departments within a company is what we could call the « information asset » of the company. This asset is the engine on which the company is based to carry out its projects and achieve its objectives.