IT’S YOUR DATA, AND THIS IS YOUR BLOG

Welcome to the Collibra Blog, where CDOs, data stewards, and data citizens go to learn about true data governance.

subscribe

How Data Governance Drives GDPR Compliance

Share: Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

How Data Governance Drives GDPR Compliance

The implementation of the General Data Protection Regulation (GDPR) is intrinsically linked to a company’s data governance program. Numerous articles have linked to the two initiatives, but none so clearly as Dennis Slattery’s recent article on LinkedIn. The analogy of a wedding between Governance and Privacy is very fitting but also highlights a key factor: a successful long-term marriage is based on strong foundations and mutual effort or as Henry Ford put it: “Coming together is a beginning; keeping together is progress; working together is success.” So how do we make this a successful marriage?

The GDPR regulation is very clear on what needs to be done to protect the Data Citizen’s rights, but the open question most companies are facing is how to comply with the regulation and/or go beyond the minimum and make GDPR work for them.

Most discussions around how to implement GDPR today are focused on one of two approaches:  top down or bottom up. I would argue that the approaches are not mutually exclusive and that a successful implementation of GDPR must be based on a combination of these complementary approaches.

In a top down approach, the GDPR team will reach out to the business to get a clear understanding of all business (data) processes that involve personal data in one way or another. For each process (think of third party credit checks, address verification, data analytics, and more) there are a number of attributes that need be clarified such as:

  • Has consent been obtained for this particular process?
  • What is the business purpose of the collection?
  • Who is the Controller?
  • Who is the Processor?
  • Who is the responsible Data Protection Officer?
  • What is the data retention period?
  • What type of data is collected?
  • And more

This is not a one-time effort: once all process related to personal data are identified and categorized, they will need to be maintained as the organization, its infrastructure and processes evolve over time.

The bottom up approach is more technical in nature. Companies that have already established metadata management tools can use these solutions to identify personally identifiable information (PII) and attempt to categorize these data elements and assign the relevant attributes for GDPR. This approach quickly hits a bottleneck as the same data can be used for several business purposes and hence cannot be easily classified for GDPR.

The successful GDPR implementation will combine or marry (to stick with Dennis’ analogy) the two approaches.

The first phase is for the GDPR team to analyze the data processes involving PII together with the business and subsequently catalog and maintain these processes within the data governance platform.

In a second phase, load the metadata into your data governance platform and identify the data elements relevant for GDPR. Once the data processes and the data element are identified and governed, you can link them together and easily trace which data elements are used in which business (data) process.

Identifying and categorizing the data processes and elements involving personal data is not the end game: it’s only the beginning of your GDPR journey. The regulation requires companies to implement a risk based approach to the process. What does that mean in practice? You will need risk metrics for both the business processes and the data elements in order to identify where your higher risk of breaches are. For higher risk processes a Data Protection Impact Assessment will have to be carried out. Where the risk of a breach is high, a risk based approach requires some form of mitigation in order to lower the risk exposure. Mitigation can come in several ways, two of the most effective mitigants on the technology side are pseudonymization and anonymization.

All of the above (data processes, data elements, attributes, risk metrics, mitigations, and more) will have to be governed and must be auditable at any point in time by the regulators.

To achieve long-term happiness in this wedding, invest in the right solution today. Collibra delivers a best-in-class data governance solution that supports GDPR. Or as Henry Ford eloquently wrote: “working together is success.”

Olivier has over 15 years of experience implementing global Risk and Regulatory solutions within the Financial Services sector. Having experienced the rising need for data governance hands on, he now brings his knowledge and expertise to help companies achieve the highest returns on data governance initiatives.

This document is intended for general informational and educational purposes. It is not offered as and do not constitute legal advice or legal opinions. Use of any Collibra product or solution does not provide or ensure any legal or other compliance certification and does not ensure that the user will be in compliance with any laws, including GDPR or any other privacy laws.
  • Tejasvi Addagada

    Nice read! Organisations now, are looking to apply the regulatory requirements for GDPR. Firms that have embraced metadata management services, would have already captured Data Privacy classifications and Security classifications, which makes the implementation simple. We need to initially de-lineate a data privacy classification from a information security classification.

    If one has to take a top down approach, it is advisable to simplify the data landscape by logically classifying data into domains and datasets or concepts, based on the privacy needs (ex: Customer preferences dataset including opt-ins, opt-outs).
    If one has to take a bottom up approach, it is good to understand what is classified as private data by having a conversation with the risk and compliance division. Then, the privacy classifications need to be established, communicated and operationalised.

    The approach that an organisation takes to GDPR is really important in taking it forward. Some of the best practices to privacy – http://dataassociation.net/data-privacy-management