Straight from the Client

Dr. Lars Niemann

Past and Future of Data Management - GDPR-Deadline (28.05.2018) introduces new challenges in the IT landscape

II. Past and Future of Data Management - GDPR-Deadline (28.05.2018) introduces new challenges in the IT landscape

GDPR and data retention - new challenges for each company

1 Customer Challenge and Overview

Data is the new "gold" of the digital area. Since the beginning of cheap mass data storage with decreasing hard disk costs, the amount of data generated per year has increased rapidly and will increase dramatically in the next years (see Figure 1).

Figure 1: Increase of the amount of data to 2025 (forecast).

In parallel, the number of applications increased as well and more and more data are send and received via network interfaces. Devices are standardly connected so the data flow and storage within the networks gets more complex. Furthermore, "Web 2.0" and "Industry 4.0" are the new slogans to gain the data usage again. Therefore, data are all around us and generated in nearly every electronic device we use (see Figure 2).

Figure 2: Number of connected devices to 2020 (in billions).

From Finance to insurance, from mechanical engineering to energy business, no one could and should avoid creating and using data if they want to be compatible worldwide. Businesses are leaving more and more their physical basis and getting dematerialized. Processes are running only virtually and produce data continuously. Businesses getting closer, the world gets smaller on the data landscape and network perspective.

Not only since the world financial crises in 2007 and by the increasing amount of data even the political and regulatory bodies noticed latest with the on-going discussions about the "right-to-be-forgotten" that with this increasing amount of data stored worldwide new obligations had to be set reflecting the new security needs and ensuring no misuse would be possible. Full traceability is wanted from the customer, how their data are used, where and how long their data are stored and with the new GDPR he gets his ownership back for his personal data independently where the data are stored.

Nevertheless, the regulation bodies in US, EU or Asia are not collaborating in developing an aligned obligation catalogue for data management worldwide. Each county or economic region like the EU produced and enforced their own set of obligations, e.g. the General Data Protection Regulation by the EU, deadline 28.05.2018. Some are matching, but some are contrary in terms of retention period. International working companies need to follow several and different data retention periods for each country.

Examples of misuse like the Libor Investigations and in the finance area shown, that uncontrolled data exchange could be dangerous not only for the customers even for the business as a whole. As well as worldwide acting social media networks shows in their fails and data breaches the weakness and vulnerability of worldwide data sharing and storing. Therefore, the wish for a higher grade of regulation and obligations was born and the ownership of data and responsibility for complying with regulatory obligation came into the focus with a new, higher priority - today, every company works with electronic data, uses e-mail communication and cloud services provided by vendors.

Figure 3: Data Life Cycle Management: Generating, storing, retaining, archiving (if necessary) and disposing data.

The challenge must be solved to implement a professional data/records lifecycle management, which starts with the generation of data and ends with the disposal of the data (see Figure 3).

Now, the GDPR lifts the obligations on a European Scale and standardised within the EU - and even if a non-EU company wants to make business in European Union, it has to meet the GDPR obligations. Data ownership, traceability, disposal and the right-to-be-forgotten have come into the focus of regulators. A new dawn of quality for data retention has come in terms of obligations, traceability and ownership reflected in a complex set of requirements for any IT system running and planed. In addition, fines are now defined on a level where IT projects implementing the obligations are cheaper.

Figure 4: EU-GDPR - Scheme to handling personal data.

However, the shared knowledge within companies and IT units and the compliance of currently running IT applications and systems is far away from the standard that is needed to meet the GDPR requirements (see Figure 4). Additional challenges like the right to move data from one service provider to another or the right to notification are introduced. If you think about typical implementation period of IT projects as of today the clock is ticking louder and louder and many companies with their CIO need to wake up. Moreover, fines up to 20 M? or 4% of global annual turnover are lot of money compared to the standard fines of today in the range of thousands of Euro.

2 Question and Answers

Vineyard: Lars, what is you general consulting topic and focus?

Lars: I started my career as a scientist and I have changed to management positions right after my PhD. I am a classical project manager/lead. I have joined Vineyard Management Consulting as associate beginning of 2013. Before I have done several projects in sectors from financial services, the automotive industry, the energy sector and IT providers as well as publicly funded institutions in natural and engineering sciences, life sciences as well as humanities and social sciences. Therefore, from my personal setting I am "multi tool" in project management with a broad knowledge of different areas and settings. I adopt my project management strategy for each topic and setting. In parallel, I have started sharing my expertise with students at university lectures and workshops.

Vineyard: Was there an event that motivated you to dig deeper into data/information life cycle management (Records Management), e.g. in the financial sector?

Lars: Even in my early days in the nuclear waste management (my first job as manager), as well as working as a General Manager, regulatory obligations were my daily business. You need to align your daily work in a framework of obligations given by the legislations and regulators. There was no specific event, which brought me in that field. It was more like a natural flow, coming from my experience and expertise to dive deeper in that field. I am used to work in regulatory frameworks for several years and in the context of different topics and from various perspectives. It is also a lot fun arranging complex systems in a way that these systems comply with the regulatory framework. I like complex and challenging projects. And from my point of view data are more important than ever. New regulations like GDPR is not only a process or technical change, it is one of the biggest cultural changes in IT. My personal feeling is that even CIOs underestimate the high impact of this topic and the importance of their role in the implementation of such new data protection regulation.

Vineyard: How have you started in this topic? Was there a special motivation?

Lars: As I said, in mid-2000, I started working in a highly regulated field and I have learned that not only the business focus counts. Regulations could have a huge impact as they introduce a new demand that in all likelihood will not be your highest priority from a business perspective. Moreover, career step by career step and project by project, I realise that obligations for managing data in regulatory compliant manner getting more and more important. Latest with the financial crisis and its findings, e.g. like Libor investigations and discussions around handling of personal data by Facebook or Google, regulating financial institutions and the importance of managing personal data became a public topic and were taken up by the politicians.

Figure 5: History of EU-GDPR process.

However, it took quite a while to prepare new obligations by regulatory bodies, like Dodd-Frank-Act or the GDPR (see Figure 5). It seems there was enough time to analyse and implement for compliant solutions but almost all companies started very late in that field or have waited until 2016 or even later.

Vineyard: What is the point where your customers start asking for external expertise?

Lars: With new obligations like GDPR on the horizon in 2015, some companies set up programs to introduce a new company-wide and holistic data management approach. In this complex setting of regulatory obligations, knowledge gaps and IT experts are required to span the broad field of different topics (compliance, legal, IT, transition and change management) involved solving this complex puzzle and implementing a reliable framework for standard operations.

Up to now, most companies did not locate a specific line manager for Records Management/Data Lifecycle Management. So external expertise is needed to kickoff this change, sometimes on interim management level, sometimes for dedicated analysis and implementation projects. These external experts are used to fill the gap of missing internal knowledge. Moreover, it will take a while to train the people you need to set up a professional data life cycle...