As you can imagine, GDPR is a hot topic with nearly every customer and prospect I talk to these days. And with the deadline to compliance less than a year away, it is no surprise that GDPR is being prioritized. In these discussions, there a number of recurring questions on how to approach the regulation and setup a GDPR program. In this blog, I will discuss the most prominent questions and provide some practical guidelines on how to approach each concern.
1. I often read about the top-down and bottom-up approach to GDPR. Which one should I follow ?
When defining your GDPR architecture, it is key to start with the basics and determine how you intend to implement the regulation within your organization. As you might have read in one of my previous blogs, there are two main approaches to building your data governance foundation for GDPR: the top-down and bottom-approach. They are not mutually exclusive, and in an ideal scenario, both are applied together. All too often, I see organizations focus on the bottom-approach, which is very technical in nature. It implies collecting all the existing metadata available and using discovery tools to further ‘find’ data elements that can be classified as individual data and hence are in scope of the regulation. By nature of the regulation, the discovery must also cover non-structured data (think e-mails and pdf documents) along with the more standard structured data which renders this entire task of discovering and cataloging tremendous. I suggest starting with the top-down approach which is more business oriented and requires the business owners to define the data process used within their business units. Creating this data process registry is a big task, but this approach will ensure that you define business ownership which is key to your on-going success in complying with the GDPR regulation. Once you have established your business view of the data activities and fully contextualized this within the regulation, you can then look to extend this by establishing the link between your data activity register and the actual data elements residing in your technical architecture. Don’t be fooled. Linking your technical metadata to the GDPR is a huge task and is only part of the solution. A sensible approach here in the short term can be to use a registry of authoritative source i.e rather than going to the physical level of data, you can use your logical data models. You can then link your data activities to the elements in your model and ensure that this is fully contextualized according to the regulation requirements.
2. How do I build my data process registry using the top-down approach?
There are different ways to start building your data activity registry as per the requirements specified in Article 30. I often see organizations start the process in Excel and then quickly realize this is more than a list. It will require governance and processes, and this is where data governance first comes into the picture. Using the Collibra data governance platform and it’s out-of-the-box GDPR use case, you can kick start your implementation. The accelerator will provide the underlying structure in the form of the asset metamodel, workflows, and dashboards that will support the governance of your registry. The Collibra data governance platform is designed for business users and has strong focus on collaboration. These are key elements in your GDPR program to ensure your business units do not work in silos.
3. Who are the stakeholders in a GDPR program? Can I leave this to IT?
GDPR is a wide-reaching regulation for any organization impacted and will require stakeholders from many different areas:
- Legal will be involved with a focus on the initial interpretation of the regulation
- The business is involved as they are reasonable for the data activity registries
- IT will be involved to implement the data governance platform and the integrations to the operational system
- Cyber is involved in protecting the architecture.
The key message here is that you cannot implement GDPR in silos, all the stakeholders must be involved, take ownership and work in collaboration and holds for the initial program but also for the on-going BAU.
4. How will I prove to the local data protection regulator that I comply to the GDPR regulation?
As the different regulators have pointed out, in order to be compliant with the GDPR regulation organizations will need the ability to prove their compliance. Think of this in terms of self-audit:
- Can you show that you have a fully updated Data Activity Registry?
- Can you show that you have established ownership?
- Do you have an overview of your metadata and can you show the link between data activities and the data elements used?
- Can you show your breach management process?
- Can you show you have change management in place to support your GDPR program?
How do you prove to the regulator that you have process in place for each of these areas? Here is how Collibra can support you by visually representing many aspects of the regulation:
High level data activity process flow in Collibra:
Detailed data activity flow in Collibra:
Impact analysis in Collibra:
5. How can I ensure I remain compliant after May 2018?
It is critical to establish a thorough change management process around your GDPR landscape. Establishing compliance for May 2018 is the first step in an on-going journey. It is by far not the end of it. Privacy by design is a critical part of the on-going process and requires that any change in your landscape has an early checkpoint with your GDPR program to ensure you remain compliant with your local regulator. Where needed, this change management should also include the Data Protection Impact Assessments which are required for data activities deemed at high risk.
6. How can I benefit from implementing GDPR beyond simply ensuring compliance?
I recently did an interview for Disruptive Tech TV and was asked by the interviewer whether organizations see benefits in implementing GDPR. This is a very relevant question as organization who see the benefit of GDPR , aside from avoiding fines and reputational risk, will surely have a higher commitment to the success of the program.
There is no doubt in the market today that avoiding the fines associated with the GDPR regulation are initially the main drivers to force organizations to comply. However, if you can look beyond the regulation as a burden, there are tremendous benefits your organization will achieve by implementing the principle. GDPR is forcing organizations to take a critical look at their data governance and ensuring they ‘clean up the house. There are tremendous amounts of data being collected today and data is becoming a true asset in its own right – companies that thrive in the new digital world will be those that have succeeded in establishing control of this new asset. By implementing principles such as privacy by design, companies are ensuring that they are only collecting relevant data and know beforehand the reasons for this data collection – this alone will ensure a large amount of data storage and processes can be eliminated and hence lead to significant cost reduction.
Above all, as an organization you are now the custodian of the individual’s data. You do not own it and therefore you are fully accountable for that data, and its accuracy and security, towards the true owner – the individual.
Olivier has over 15 years of experience implementing global Risk and Regulatory solutions within the Financial Services sector. Having experienced the rising need for data governance hands on, he now brings his knowledge and expertise to help companies achieve the highest returns on data governance initiatives.