Historically, spreadsheet management and governance has tended to be thought of as something distinct and different from conventional IT-based concerns about governance. In a sense, this is not surprising: spreadsheets are deployed by end users while the sort of data and processes to which data governance applies have traditionally been, at least in part, within the domain of the IT department.
GDPR changes this paradigm. The regulation makes no distinction between private data that is stored in Oracle, SQL Server or Db2, or data that is stored in a spreadsheet or, for that matter, an Access database. Organisations must address the requirements of GDPR regardless of where private data resides. Complying with GDPR means having a single project – albeit with many moving parts – that spans both end-user software such as spreadsheets and more IT-based platforms and systems. I think this is pretty much a first.
What are the implications of this? Well, one of the implications of GDPR itself, is that private data must be treated as a business asset. Of course, many companies have already bought into the idea of the data-driven enterprise but, in that context, some data is more important than other data. If it’s useful for analytics, then its potentially important but if not: not. But GDPR extends this to all private data and, for the benefit of American readers, I should say that the definition of “private” in this context, is much broader than PII (personally identifiable information) data.
So, it’s any private data that is important. But that is not all. To comply with GDPR you need to discover private data, anonymise it where necessary, and ensure that you have consent to use that data before doing so for any specified purpose. However, this is not a one-time fix: it is an ongoing process. In practice, this means that the underlying tasks of discovery, masking and so forth will need to be operationalized. In effect, the data is treated as a business asset.
How does this impact on spreadsheets? Well, they must be a part of this same process. If you have spreadsheets with private data in them, then every time that data is altered, or you add a new person to your spreadsheet, then those changes must be propagated to whatever governance mechanisms are in place to provide compliance monitoring. Or vice versa: the changed data may be sent to the spreadsheet. This will typically mean that these spreadsheets will need to be linked to either the CRM (customer relationship management) or MDM (master data management) systems that will be required to provide the single view of the customer (or employee) that GDPR compliance almost certainly needs. Further, you will no doubt implement corporate policies about how and where private data can be stored and used. Spreadsheets will need to be monitored for compliance with these policies in the same way that more IT-oriented data is monitored.
In other words, spreadsheets will come in from the cold. IT will have a much more significant role in providing oversight with respect to the use of spreadsheets. And that may start with private data, but I don’t think it will end there. My guess is that IT will want to ensure that governance best practices are applied to all aspects of spreadsheet use. Given the absence of spreadsheet-specific features in current data governance suites, that’s going to be good news for vendors specializing in spreadsheet governance and management.