CODE OF CONDUCT Maintaining the integrity of an organisation’s data assets is the basis for achieving compliance with regulators The General Data Protection Regulation (GDPR), which came into effect in May, changes how Europeans address privacy for all individuals within the EU, and any companies – even non-EU organisations – doing business with the region. Maria Dalle Ave, Head of Enterprise Data Management at the JSE, explains that the aim of the legislation is to safeguard against any privacy and data breaches in a changing global environment, where business has become reliant on technology and data is a strategic asset. ‘Complying with the GDPR will also assist in how to comply with other regulations, such as South Africa’s Protection of Personal Information Act [POPIA], when it comes into effect.’ A further consideration related to data management and one that the JSE embraces, is BCBS 239 – the Basel Committee on Banking Supervision, which is related to the standard regarding principles for effective risk data aggregation and risk reporting. ‘In an increasingly competitive landscape, the management, quality and availability of data is becoming increasingly important for the ability of companies to make timely and accurate business decisions,’ says Dalle Ave. ‘Establishing and maintaining the integrity of an organisation’s data assets at an appropriate level is the basis for achieving compliance with current and future data regulations, and for effective business intelligence and analytics initiatives. ‘When looking at these laws, one needs to look at the practical implementations for compliance, such as understanding the law and how it impacts your business, getting executive buy-in, and the implementation of quick wins to ensure compliance as well as training and awareness. ‘This is where legal departments play a role. They help identify the impact the new laws will have on business operations and the risks for non-compliance. In the case of the GDPR, for instance, the sanctions for non-compliance can be hefty, depending on the infringement, such as fines of 20 000 000, or, in the case of an undertaking, up to 4% of the worldwide annual turnover – whichever is higher,’ says Dalle Ave. The emphasis is on businesses taking accountability to adopt appropriate and reason-able measures to ensure compliance. Enterprise data and data protection laws affect many areas of the business, obviously legal and compliance, but also how technology manages data and impacts people. As such it is imperative these aspects work together, especially when embarking on privacy initiatives, and to ensure that data remains a strategic asset for an organisation. Dalle Ave says there are various concepts and practices of data management available, such as the Data Management Association’s ‘body of knowledge’, which defines an industry view of data management functions. ‘You need to decide what is fit for purpose and ensure it is aligned to your organisation’s strategy. As important, is that staff must be trained to acquire an understanding of their responsibilities in relation to privacy, which may include policy and procedure changes.’ Individuals and teams have access to the relevant data they have permission or are authorised to use, based on their operational functions. Without necessary data governance in place, business value cannot be assured. Good-quality data that can be trusted can help improve client experience, enable commercial gain and, ultimately, assist in making better business decisions. ‘Embarking on a data-privacy initiative can be a complex and long process. You need to look at quick wins so that you can be regulator ready, and by doing so you can manage your business operations more effectively and continue to con-duct business globally,’ says Dalle Ave. ‘Data governance is a good business practice irrespective of whether it is legislated or not.’ By Kerry Dimmer Images: Gallo/Getty images