The Role of Data Governance and Accountability in GDPR Compliance
The ICO has made a very clear and unequivocal statement on Wednesday, 15th March with regards to their approach and the timing of GDPR enforcement. In short, there will be no grace period for GDPR compliance, as some companies may have come to expect based on experience with other industry regulations in the past.
The good news is that we now have a clear understanding of what the UK regulators will focus on with regards to GDPR:
“The ICO’s main focuses will be on transparency, control and accountability.”
On the accountability front, Steve Wood, the Information Commissioner’s Office Head of International Strategy & Intelligence, during his keynote at the IAPP’s Data Protection Intensive in London said organizations will thrive when and if accountability is embedded organization-wide and a range of people take responsibility for different parts of the process.
How can an organization demonstrate accountability?
For those of you who’ve been following our blog for a while, the answer is simple: data governance.
There are, however, several challenges that companies must take into account:
- Governance is currently usually done in very centralised fashion
- Stewardship and ownership is very hierarchical and linear
- Understanding of roles and responsibilities on the “ground” can be very different from the understanding at the “top”
- Gaps in understanding of roles and responsibilities can cause interdepartmental (as well as inter-personal) friction and frustration
- Organizational management structure is changing / Ownership is changing, there are multiple dimensions to consider, like Legal Entities, Business Region/Area, Business Process
- Most modern enterprises are moving towards federated /decentralised / matrix approach that is flexible enough to cover the multiple facets of business processes
From a governance perspective, the solution is stewardship management (whether it is called this or by any other name).
Our suggested best practice steps to drive data governance and accountability in the organization:
Define the Organizational Structure
- Understand what the organizational structure currently looks like, what the roles are, and what they actually mean. In many companies currently, the roles or definitions are documented in PDF or Sharepoint, in large, wordy documents. It is often unclear who has access to these documents, and how many of those actually go and read/understand who is responsible for what.
- Implement a governance tool to help the business users understand what they are really supposed to do, what is their role, and give a clear unified view across the business of exactly what each role means
- Use the governance platform to govern your organization as well as your data. As a business user, it will enable you to find out what your role actually means, what are you supposed to do, and how that fits in the bigger picture
Define the Roles and Responsibilities
- Break down the list of responsibilities by role
- Identify any gaps or overlaps
Define the RACI Matrix
- Understand who is accountable for each activity, who is contributing, who needs to be kept informed
- Map each role into one of the 4 categories (Responsible, Accountable, Contributing, Informed), for each activity identified
Define the Business Dimensions
- Identify key drivers of your matrix organization
- Define data categories, subject areas, data domains, different business terminologies used
- Outline the hierarchy of lines of business and hierarchy of business processes
- Determine if this will be managed by the enterprise architecture team or a centralised team who is going to classify and build these hierarchies
- Make sure you have a responsibility acceptance process in place
- Potentially add “Region” information to the above, to further categorise/break down responsibilities assignment by region as well.
- As an example to the above, in the Collibra out-of-the-box operating model, roles will be auto-inherited to the related business terms / data elements, based on the driving business dimensions
- E.g. the “customer credit card number” business term is categorised as part of a specific data category + business process. What that means is that we automatically know that the person responsible for that business term or function is the same person who has been assigned the role matching the respective data category/business process items in the matrix
- Assign users to roles, for example <User> has <Functional Role> in <Line of Business> for <Data Category> during <Business Process>
- Part of data governance is to ensure that responsibilities are not only assigned, but accepted.
- A data governance platform like Collibra can ensure that when new responsibilities or roles are assigned to a user, an automatic process/workflow is triggered by which the respective user can review the assignment and comment/reject or suggest another more appropriate person/role in the organization, or delegate some of the responsibilities involved to someone else. This is all audited and tracked to provide a clear picture in the reports and a single understanding across the business regarding who owns which activity.
- Get notified when a role is empty, and bulk reassign tasks of users who left the organization or moved into a new role
- In Collibra, when a user has been removed by either leaving the company or the team/group, the Business Dimension Manager is going to be notified regarding a newly created gap for a particular role, which they will then have to fill via an assignment activity, that in turn triggers the acceptance process mentioned above
Monitor user assignment by organization structure, and expose and track trends by role and business dimension (using scorecards)
- Automatically generate organizational structure diagrams that go from the organizational entities, down to business dimensions, roles, and responsibilities assignment per role
- Generate scorecard views to monitor, for each business dimension, what is the number of relevant roles, how many of those roles have been assigned and successfully accepted, whether or not the stakeholders been defined, etc.
Leaving the best for last, I would like to quote Steve Wood again, during his keynote at the IAPP’s Data Protection Intensive in London:
“If we come knocking on the door, if we investigate or conduct an audit in an organization, the best way you can demonstrate to us that we won’t need to delve deeper and you’ve got covered all the compliance issues is to have a comprehensive accountability program.” — Steve Wood, Information Commissioner’s Office.
Just remember, an accountability program stems from a governance program. Governing your data starts with clearly defined stewardship. Once people understand and have a clear and easy way to check what is expected of them and where do they fit in the bigger picture, accountability follows.