What has your company done in terms of forming governance and an implementation approach for the European Data Act? Who owns it, what is the role of general IT vs a compliance function like Privacy?
Sort By:
Oldest
Chief Information and Technology Officer2 months ago
Our Office of the CISO owns it, sets the policy and standards that are signed off by the Board, Compliance function is owned by Finance (i.e. Internal Audit) and General IT operationalizes it.Senior Data and Analytics Leader in Government2 months ago
Ideally, what I've seen work best is when companies form a cross-functional task force for data compliance. You get your tech people from IT, your legal teams, your privacy folks, and maybe throw in some folks from business operations for good measure. This task force needs a strong leader, someone who can speak both tech and legal, and isn't afraid to make decisions. The ownership question is tricky. In some companies, they've created a new role - call it "Chief Data Compliance Officer" or something equally fancy. This person becomes the ultimate owner. As for the role of general IT versus Privacy, it's not an either/or situation. It's more like a Venn diagram where these functions overlap. IT needs to be heavily involved because, let's face it, they're the ones who'll be implementing a lot of the technical solutions.One approach I've seen work well is to have Privacy/Compliance set the requirements and policies, and then have IT propose technical solutions. Then they collaborate to refine these solutions until they meet both the legal requirements and the technical feasibility.
Throughout all this, communication is key. Regular updates to the board, clear communication channels between departments, and ongoing training for staff are all crucial. One last thing - don't forget about the cultural aspect. Compliance isn't just about ticking boxes; it's about creating a culture of data responsibility. This might mean changes in how people work, new processes, maybe even a shift in company values. It's not just a tech problem or a legal problem - it's a people problem too.
Head of Transformation in Government2 months ago
In my opinion the EU Data Act (and the sum total of the EU's digital, interoperability and data strategies) are putting into legislation what organisations in the digital era should be already doing, and which build on good data and IT governance.We have been working to make our data governance more effective and also supporting operational units to comply with but also contribute to fair access and use of data. We have been implementing interoperability principles and applying FAIR data principles (findable, accessible, interoperable, reusables) as operating procedures and for project analysis and design.
We have also expanded our data governance to ensure a 360 degree view on both operational and corporate data and metadata. And whenever possible, we adopt standards toward which our ecosystem has consolidated. We have also continued to step up on security, analysing and tagging data for sensitivity, usage and the like. A robust zero-trust data architecture is part of this.
The hardest part, but the most valuable, and one which defines our 2023-2026 project portfolio is establishing clear rules for access, balancing transparency and protection of ownership rights. Automating this requires a fairly sophisticated toolkit to ensure it is error-free and rule-enforcing.
It's a very broad topic that touches on policies and procedures, internal and external (ecosystem/consortium/industry) governance, technology modernisation, and organisational skill-building in analytics and interoperability, as well as ecosystem thinking and platform thinking, instead of supply chain thinking which, imho, is obsolete but I believe is implicit in the data act.
VP of Data2 months ago
We take a very simple, clear and strong division of responsibilities. We have four entities involved: Legal, Compliance, Product, and Engineering.Legal owns understanding and providing guidance and a point of view on any legal statutes or ordinances enacted in any political administrative districts globally.
Compliance sits under legal but operates independently from Legal, and they own publishing all corporate instructions and policies in full collaboration with both Product and Engineering and is not done unilaterally. Essentially, they document what Product and Technology aims to do and ensures those plans and actions cover the legal and compliance needs. They also own auditing of products and technology according to those policies and instructions.
Product team owns understanding all legal requirements and its application to our products and technology. They make any business decisions to either comply 100% with legal's guidance or to negotiate the guidance and/or assume any risk as a result of any deviation from that guidance while collaborating with the Legal team. Architecture, as a co-product owner, works closely with both Product and Legal to understand all points of view completely providing any technical leadership as necessary in those discussions.
It is up to Architecture and Engineering to obtain all requirements, both functional and technical, from all stakeholders and implement whatever is required and determined by the Product team.
As mentioned previously, communication and documentation is essential to proper implementation and compliance to both internal policies and external ordinances and statues.