The Europe Union’s General Data Protection Regulation (GDPR) is changing how we think of governing the data of individuals. It represents a significant cultural shift concerning the data we capture about individuals. With this regulation we, the companies, no longer own the data we capture about individuals or natural persons. After the regulation becomes enforceable on May 25, 2018 we become custodians of the individual’s data and the individual becomes the owner of “their” data.
For most companies, the challenge may not be to identify the business processes in a GDPR Process Registry. The big challenge may be to find and classify the individual’s data within all the enterprise systems. Let’s be clear: this regulation is about creating and managing data. Security of the data is a great concern (as always). However, the regulation is mostly concerned with governance over the lifecycle of an individual’s data.
Many executives in our businesses may not understand how the Business Glossary and data governance can support a significant percentage of the GDPR solution. Data governance processes are critical to document and govern this data. The Business Glossary is where we can capture the business processes, and classify individual data and the assets associated with our customer and employee’s personal data.
The GDPR activities that the Business Glossary will support
How can you achieve a GDPR solution effectively? Do you need to apply a different set of processes, people, and technology toward governing personal data? I suggest that you do not! You should be leveraging your existing data governance team and processes. However, we do need to focus on the specific requirements of GDPR.
To meet the GDPR requirements for the governance of personal data we can leverage a “top down”, “bottom up,” or hybrid approach for delivering the governance project. Many experts suggest that a “top down” approach is best due to the importance of the GDPR Process Registry. I’m just not sure every data governance team or every organization is ready to address the top-down approach. Documenting WHY you are maintaining personal data is a very critical requirement of GDPR. I always have said that we do not spend enough time asking why questions. Yet, I don’t think all companies can start their GDPR governance activities by asking the “why” questions.
See, you have to ask the questions such as “why are we asking individuals provide us this data? Do we have valid business usage of this data? Have we asked the individual to opt-in or provide us with this data?” And here’s my concern. Many organizations are not ready to know whom to present those questions to. For example, whom do I ask that question to? Who will be the decision maker for personal data that is created, updated, used and enhanced by many processes across the enterprise? We may not know who will answer the business registry questions until we have a clear understanding of who is responsible for the individual data or who is managing the application processing the data. Thus, I suggest that we first have to find the personal data existing in our enterprise. Let’s go through the steps.
Step 1 – Identify the personal data we have to govern
I generally suggest that the first step is to identify the personal data we have existing within the enterprise. For many, this will not be an easy step but must be done as expeditiously as possible. Along with identifying the data element, such as Customer Name, we should also capture the following:
- Logical name or Business Term of the data (such as customer.name)
- Database.Table.Column name (all physical instances where this column resides)
- Accountable party or business owner name
- Definition or the physical column (all physical instances where this column resides)
- Business rules that exist (all physical instances where this column resides)
- Data values that exist (all physical instances where this column resides)
- Catalog this data as GDPR private and sensitive (see your DPO or ISO policies)
- Identify this data in your business glossary as Data/IT Assets
Step 2 – Organize and define the GDPR Process Register
Many suggest this as a first step in a pure top-down governance process approach. I suggest that we must define the data we have before we can ask the questions around why we have that data, as well as all the other questions we need to answer to create the GDPR and Process Register. The GDPR Register is more than identifying the business processes that exist today. The GDPR Processes Register is specific to the processes that capture, maintain, share, distribute, and dispose of personal data. You can complete this step faster and more effectively once you know the specific personal data you have in your enterprise. The GDPR Register should be a component of your Business Glossary to provide the future change and issue management capabilities.
Step 3 – Classify and catalog the business/data assets
Now is the time to apply the top-down, traditional data governance steps. These include the following:
- Identify and define a business term for each of the personal data instances you have identified in Step 1 above.
- Map or relate the business term and the physical data/IT assets
- Ensure you have an accountable party or owner for each business term
- Ensure that you have the necessary governance organization, business data stewards and technical stewards identified and engaged to define and catalog the Assets.
- Ensure you have an authoritative source and all physical instances of the data defined by your business and technical stewards
- Ensure that business rules, quality rules and valid values have been agreed to by the business and technical stewards. GDPR has data quality implications.
- Develop data sharing agreements that meet the requirements of GDPR.
Step 4 – Document and map GDPR principles to your policies
This step can be done concurrently with Step 3 given resource availability. It will be critical to map the GDPR principles with your internal business processes and policies. This will provide an assessment of policy alignment as well as identify policy gaps that will be critical to fill for GDPR compliance. This will establish a baseline for your data protection impact assessments that are required by GDPR compliance activities.
Step 5 – Clearly define roles and responsibilities
To meet GDPR requirements, most of us will need to clearly identify the roles of controller and processor activities. Most of us will function in both roles, but many of us rely on 3rd party processing activities. There are GDPR specific requirements that need to be documented and followed. This is a great time to ensure you have the ownership and accountability needed to meet this requirement. Ensure that the roles and responsibilities of the Data Protection Office (DPO) and Information Security Office (ISO) are included, as well as the policies established by those organizations.
Step 6 – Put personal data into context of its usage
We should be documenting the movement of data, data lineage, and traceability as a normal data governance practice. It is not just good enough to know how and where personal data was created. We must also know how, where, why, whom, and when personal data moves through our systems even too 3rd parties or across country boundaries. This step should include the following:
- Tracking the data policies and data sharing agreements between data owners and all usages of that data to ensure business traceability.
- Mapping the physical data movement of personal data from creation to all usages including the movement across boundaries or to 3rd parties/processors.
- Linking agreements to processing activities and the data categories involved.
- Clearly documenting the full data lineage and traceability for all personal data to all usages of that data.
- Communicating the data usage policies and standards for personal data is critical.
- Provide education across the enterprise about the usage of personal data as well as what should be done when a breach of personal data is determined.
Step 7 – Establish impact analysis capability
This should be a best practice for all data governance programs, but it is a critical requirement in GDPR. I have always recommended that one of the significant values of the Business Glossary is impact assessment capabilities. The glossary should have all data assets mapped to their usages, owners, processes, accountable and usage parties, business understanding, and technical implementation. This allows for impact assessments from a policy view, a functional business view, a system/application view, and from a reporting or usage view. For GDPR, this is known as the 72-hour notification requirement. Basically your organization will be responsible to notify all individuals impacted by a security or data breach within 72 hours of the occurrence. Discuss the details of the GDPR requirements with your DPO and ISO teams. In case of a system or network breach you must quickly identify:
- What are the data subject categories and individual data impacted?
- What processing activities are impacted and where?
- What individual personal data has been impacted, where and when?
The capability of impact assessments will help to meet the operational activities and data breach processes.
Step 8 – Monitor and track compliance
Dashboards and scorecards for data governance metrics and the Business Glossary content should be a practice of all data governance programs. We can leverage these and enhance them to meet the specifics of GDPR compliance. We can produce a heat-map of the progress by business unit, by source application, by data subject category, by personal data tagged or by processor (application). We need to monitor the metrics from each step as well as the risks involved. The capabilities existing in the data governance program can be leveraged for reporting our progress as well as the data protection impact assessments required by GDPR.
GDPR is a wonderful business use case to leverage your Business Glossary and data governance practices. It will not provide you with a solution to all the requirements for GDPR compliance, but it will be a solution for a significant portion of your solution. And as always, stay calm and allow your Business Glossary to prosper.