Gain full visibility across your data landscape, find meaning in your data and improve the quality of business decisions.
Discover and download solutions and pre-built integrations for the Collibra Platform.
Get unparalleled value through the combined expertise and unique strengths of our people and technology.
See how security plays a key role in everything from how we build and deliver our platform to how we hire and train employees.
Collibra Privacy & Risk
Discover and understand data that matters so you can generate impactful insights that drive business value.
Understand your ever-growing amount of data in a way that scales with growth and change.
Show how data sets are built, aggregated, sourced and used, providing complete, end-to-end lineage visualization.
Build customer trust by operationalizing privacy policies and scaling compliance across new regulations.
Modernize your operations with a solution that is scalable, accessible and resilient: data in the cloud.
Drive digital growth and customer engagement by breaking down data silos and adding value to customer interactions.
Fuel your self-services analytics with the right data to develop unique business insights.
Innovate for the future while successfully navigating the complex web of regulations.
Transform decision making in the public sector with secure Data Intelligence that is FedRAMP Authorized.
Cloud ready data
Government and public sector
Tap into our knowledge base by connecting, sharing and learning from your peers in our Data Citizens community.
See how Collibra is helping global organizations unlock the value of their data.
Find the resources you need to accelerate time to value and fuel your growth.
Learn from the leaders in Data Intelligence through our individual courses, learning paths, and certification programs.
Data Citizens '20
Take your data strategy to the next level by arming yourself with the knowledge you need to achieve Data Intelligence.
Get advice, tips and tricks from our product experts and industry thought leaders to learn how to make your data meaningful.
Join the world’s largest virtual gathering of professionals focused on empowering businesses to deliver on strategic goals through Data Intelligence.
Check our upcoming events calendar to discover exciting opportunities to learn from our product and industry experts.
Connect the right data, insights, algorithms and people to optimize processes, increase efficiency and drive innovation.
Read our latest announcements, news coverage and thought leadership articles.
Find an opportunity to challenge and be challenged, and work with some of the most talented people in the business.
Get in touch with a member of our global team by locating an office near you, calling us or sending an email.
Much has been discussed about the new General Data Protection Regulation (GDPR) since its release in April 2016. Since the impact of the regulation is far fetching and is not restricted to any particular sector, it will affect any organization treating Personally Identifiable Information in one way or another, regardless of the sector in which the organization operates. The regulation will clearly impact financial services, but also sectors such as healthcare, telecom, retail, education, and many more. The common theme in most of the blogs and articles on the subject is the core idea that data and data process must be identified and categorized. I have previously written on the best approach to dynamically build this view of all data impacted by GDPR. And today, I would like to discuss another key aspect of the regulation: the focus on the GDPR Risk Based Approach.
The ultimate purpose of the regulation is to protect an individual’s rights and hence their personally identifiable information (PII). Protecting individual’s data is not only about understanding what data the organization holds and for what purpose, but also about understanding and evaluating the risks individuals are exposed to due to potential data breaches. Article 24 of the regulation lays the foundation of the risk based approach and the inherent responsibilities of the controller:
Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation
The risk is clearly defined as a combination of the likelihood of occurrence and the severity of the impact on the individual’s rights and freedoms associated with a data processing activity. It is worth noting that the purpose of a Risk Based Approach is not to eliminate all risk, but rather to evaluate the potential risks and use mitigation techniques to control and minimize potential impacts. This risk evaluation and mitigation process is an inherent part of privacy by design.
What constitutes a risk as defined in the GDPR regulation? On this topic, the regulation provides some guidelines through examples in Recital 75. At a high level, the regulations defines risk as physical, material or non-material damage that could result from any particular data process. This can include discrimination, identity theft, fraud, reputational damage, loss of data confidentiality, unauthorized reversal of pseudonymisation, or any other significant economic or social disadvantage.
The GDPR guidelines only focus on two levels or risk: Risk and High Risk. Inherent in this approach is the view that all data processing activities have at least some level of risk, ie there is no such thing as a riskless data activity.
For data processing activities that have been deemed High Risk, the controller will be required to conduct full scale Data Protection Impact Assessments (DPIA). Article 35 of the regulation outlines some minimum requirements for a DPIA :
Once you’ve identified the risk levels, the controller must use mitigation techniques to control these risks. In the case of high risk data processing activities, the DPIA must include these mitigation processes. And, where mitigation is not possible, the organization will be required to refer to the local Data Protection Authorities before implementing the relevant activity. Other data activities that do not represent a high risk are exempt from the DPIA requirement but must still be monitored, controlled, and mitigated where possible.
Compliance with the GDPR Risk Based Approach will require controllers to closely monitor the risk levels of their data processing activities. A compliant GDPR solution should enable controllers to monitor a matrix of at least the following KPI’s against the data processing activities:
In order to have an accurate assessment of any risks associated with your PII data, it is also critical to have processes in place to ensure transparency and control of your data quality. When applying GDPR within a data governance platform such as Collibra, you can easily link your data quality scores to your data activities.
Here is an example of a typical privacy scorecard dashboard in Collibra:
In my next blog, I will focus on the different mitigation techniques and their effectiveness in reducing the risk to the rights and freedoms of the individuals.
Olivier has over 15 years of experience implementing global Risk and Regulatory solutions within the Financial Services sector. Having experienced the rising need for data governance hands on, he now brings his knowledge and expertise to help companies achieve the highest returns on data governance initiatives.
© 2020 Collibra. All Rights Reserved.
A message to our Collibra community on COVID-19. Read more from our CEO.