Gain full visibility across your data landscape, find meaning in your data and improve the quality of business decisions.
Discover and download solutions and pre-built integrations for the Collibra Platform.
Get unparalleled value through the combined expertise and unique strengths of our people and technology.
See how security plays a key role in everything from how we build and deliver our platform to how we hire and train employees.
Collibra Privacy & Risk
Discover and understand data that matters so you can generate impactful insights that drive business value.
Understand your ever-growing amount of data in a way that scales with growth and change.
Show how data sets are built, aggregated, sourced and used, providing complete, end-to-end lineage visualization.
Build customer trust by operationalizing privacy policies and scaling compliance across new regulations.
Modernize your operations with a solution that is scalable, accessible and resilient: data in the cloud.
Drive digital growth and customer engagement by breaking down data silos and adding value to customer interactions.
Fuel your self-services analytics with the right data to develop unique business insights.
Innovate for the future while successfully navigating the complex web of regulations.
Transform decision making in the public sector with secure Data Intelligence that is FedRAMP Authorized.
Cloud ready data
Government and public sector
Tap into our knowledge base by connecting, sharing and learning from your peers in our Data Citizens community.
See how Collibra is helping global organizations unlock the value of their data.
Find the resources you need to accelerate time to value and fuel your growth.
Learn from the leaders in Data Intelligence through our individual courses, learning paths, and certification programs.
Data Citizens '20
Take your data strategy to the next level by arming yourself with the knowledge you need to achieve Data Intelligence.
Get advice, tips and tricks from our product experts and industry thought leaders to learn how to make your data meaningful.
Join the world’s largest virtual gathering of professionals focused on empowering businesses to deliver on strategic goals through Data Intelligence.
Check our upcoming events calendar to discover exciting opportunities to learn from our product and industry experts.
Connect the right data, insights, algorithms and people to optimize processes, increase efficiency and drive innovation.
Read our latest announcements, news coverage and thought leadership articles.
Find an opportunity to challenge and be challenged, and work with some of the most talented people in the business.
Get in touch with a member of our global team by locating an office near you, calling us or sending an email.
The Europe Union’s General Data Protection Regulation (GDPR) is changing how we think of governing the data of individuals. It represents a significant cultural shift concerning the data we capture about individuals. With this regulation we, the companies, no longer own the data we capture about individuals or natural persons. After the regulation becomes enforceable on May 25, 2018 we become custodians of the individual’s data and the individual becomes the owner of “their” data.
For most companies, the challenge may not be to identify the business processes in a GDPR Process Registry. The big challenge may be to find and classify the individual’s data within all the enterprise systems. Let’s be clear: this regulation is about creating and managing data. Security of the data is a great concern (as always). However, the regulation is mostly concerned with governance over the lifecycle of an individual’s data.
Many executives in our businesses may not understand how the Business Glossary and data governance can support a significant percentage of the GDPR solution. Data governance processes are critical to document and govern this data. The Business Glossary is where we can capture the business processes, and classify individual data and the assets associated with our customer and employee’s personal data.
How can you achieve a GDPR solution effectively? Do you need to apply a different set of processes, people, and technology toward governing personal data? I suggest that you do not! You should be leveraging your existing data governance team and processes. However, we do need to focus on the specific requirements of GDPR.
To meet the GDPR requirements for the governance of personal data we can leverage a “top down”, “bottom up,” or hybrid approach for delivering the governance project. Many experts suggest that a “top down” approach is best due to the importance of the GDPR Process Registry. I’m just not sure every data governance team or every organization is ready to address the top-down approach. Documenting WHY you are maintaining personal data is a very critical requirement of GDPR. I always have said that we do not spend enough time asking why questions. Yet, I don’t think all companies can start their GDPR governance activities by asking the “why” questions.
See, you have to ask the questions such as “why are we asking individuals provide us this data? Do we have valid business usage of this data? Have we asked the individual to opt-in or provide us with this data?” And here’s my concern. Many organizations are not ready to know whom to present those questions to. For example, whom do I ask that question to? Who will be the decision maker for personal data that is created, updated, used and enhanced by many processes across the enterprise? We may not know who will answer the business registry questions until we have a clear understanding of who is responsible for the individual data or who is managing the application processing the data. Thus, I suggest that we first have to find the personal data existing in our enterprise. Let’s go through the steps.
I generally suggest that the first step is to identify the personal data we have existing within the enterprise. For many, this will not be an easy step but must be done as expeditiously as possible. Along with identifying the data element, such as Customer Name, we should also capture the following:
Many suggest this as a first step in a pure top-down governance process approach. I suggest that we must define the data we have before we can ask the questions around why we have that data, as well as all the other questions we need to answer to create the GDPR and Process Register. The GDPR Register is more than identifying the business processes that exist today. The GDPR Processes Register is specific to the processes that capture, maintain, share, distribute, and dispose of personal data. You can complete this step faster and more effectively once you know the specific personal data you have in your enterprise. The GDPR Register should be a component of your Business Glossary to provide the future change and issue management capabilities.
Now is the time to apply the top-down, traditional data governance steps. These include the following:
This step can be done concurrently with Step 3 given resource availability. It will be critical to map the GDPR principles with your internal business processes and policies. This will provide an assessment of policy alignment as well as identify policy gaps that will be critical to fill for GDPR compliance. This will establish a baseline for your data protection impact assessments that are required by GDPR compliance activities.
To meet GDPR requirements, most of us will need to clearly identify the roles of controller and processor activities. Most of us will function in both roles, but many of us rely on 3rd party processing activities. There are GDPR specific requirements that need to be documented and followed. This is a great time to ensure you have the ownership and accountability needed to meet this requirement. Ensure that the roles and responsibilities of the Data Protection Office (DPO) and Information Security Office (ISO) are included, as well as the policies established by those organizations.
We should be documenting the movement of data, data lineage, and traceability as a normal data governance practice. It is not just good enough to know how and where personal data was created. We must also know how, where, why, whom, and when personal data moves through our systems even too 3rd parties or across country boundaries. This step should include the following:
This should be a best practice for all data governance programs, but it is a critical requirement in GDPR. I have always recommended that one of the significant values of the Business Glossary is impact assessment capabilities. The glossary should have all data assets mapped to their usages, owners, processes, accountable and usage parties, business understanding, and technical implementation. This allows for impact assessments from a policy view, a functional business view, a system/application view, and from a reporting or usage view. For GDPR, this is known as the 72-hour notification requirement. Basically your organization will be responsible to notify all individuals impacted by a security or data breach within 72 hours of the occurrence. Discuss the details of the GDPR requirements with your DPO and ISO teams. In case of a system or network breach you must quickly identify:
The capability of impact assessments will help to meet the operational activities and data breach processes.
Dashboards and scorecards for data governance metrics and the Business Glossary content should be a practice of all data governance programs. We can leverage these and enhance them to meet the specifics of GDPR compliance. We can produce a heat-map of the progress by business unit, by source application, by data subject category, by personal data tagged or by processor (application). We need to monitor the metrics from each step as well as the risks involved. The capabilities existing in the data governance program can be leveraged for reporting our progress as well as the data protection impact assessments required by GDPR.
GDPR is a wonderful business use case to leverage your Business Glossary and data governance practices. It will not provide you with a solution to all the requirements for GDPR compliance, but it will be a solution for a significant portion of your solution. And as always, stay calm and allow your Business Glossary to prosper.
We accelerate trusted business outcomes by connecting the right data, insights, algorithms and people for all Data Citizens.
© 2020 Collibra. All Rights Reserved.
A message to our Collibra community on COVID-19. Read more from our CEO.