Gain full visibility across your data landscape, find meaning in your data and improve the quality of business decisions.
Discover and download solutions and pre-built integrations for the Collibra Platform.
Get unparalleled value through the combined expertise and unique strengths of our people and technology.
See how security plays a key role in everything from how we build and deliver our platform to how we hire and train employees.
Collibra Privacy & Risk
Discover and understand data that matters so you can generate impactful insights that drive business value.
Understand your ever-growing amount of data in a way that scales with growth and change.
Show how data sets are built, aggregated, sourced and used, providing complete, end-to-end lineage visualization.
Build customer trust by operationalizing privacy policies and scaling compliance across new regulations.
Modernize your operations with a solution that is scalable, accessible and resilient: data in the cloud.
Drive digital growth and customer engagement by breaking down data silos and adding value to customer interactions.
Fuel your self-services analytics with the right data to develop unique business insights.
Innovate for the future while successfully navigating the complex web of regulations.
Transform decision making in the public sector with secure Data Intelligence that is FedRAMP Authorized.
Cloud ready data
Government and public sector
Tap into our knowledge base by connecting, sharing and learning from your peers in our Data Citizens community.
See how Collibra is helping global organizations unlock the value of their data.
Find the resources you need to accelerate time to value and fuel your growth.
Learn from the leaders in Data Intelligence through our individual courses, learning paths, and certification programs.
Data Citizens '20
Take your data strategy to the next level by arming yourself with the knowledge you need to achieve Data Intelligence.
Get advice, tips and tricks from our product experts and industry thought leaders to learn how to make your data meaningful.
Join the world’s largest virtual gathering of professionals focused on empowering businesses to deliver on strategic goals through Data Intelligence.
Check our upcoming events calendar to discover exciting opportunities to learn from our product and industry experts.
Connect the right data, insights, algorithms and people to optimize processes, increase efficiency and drive innovation.
Read our latest announcements, news coverage and thought leadership articles.
Find an opportunity to challenge and be challenged, and work with some of the most talented people in the business.
Get in touch with a member of our global team by locating an office near you, calling us or sending an email.
The General Data Protection Regulation (GDPR) hasn’t been a stranger to news headlines lately, and rightfully so. It’s reshaping the way businesses manage their data, and though it is currently an EU law, it affects any business that deals with data coming from its European-based customers. So, as you can imagine, it’s a pretty big deal for many of today’s organizations, and with the May 25 deadline in clear view, it’s officially crunch time.
Whether you’re in the middle of your GDPR efforts, or just getting started, we’ve put together a comprehensive 60-day GDPR plan to keep you on track for the final countdown*.
Step 1: Define reference data for DPIA and record of processing activity
This is a process that includes identifying and defining reference data and a valid list of values for critical GDPR elements like data categories, data subjects, legal basis, etc. which will be used by every step in the compliance process.
a.) Catalog and classify data categories- Create a glossary of your data categories and elements. Classify the items in this glossary according to their high-level GDPR category (i.e. special, sensitive, personal, etc.) with the help of your legal and compliance team.
b.) Identify data subject categories- Designate the categories of individuals whose data is processed within your organization. Example: employee, customer, student, consultant, etc.
c.) Legal and compliance approvals- Define and gain approval of the valid values for legal basis, ranges of information volume, processing category, risk level, criticality level, and type of consent from your legal and compliance teams.
There are additional tasks you can complete either prior to or following the three items above. These include the collection of legal entities, agreements with third parties, and software platforms, databases, and applications which process personal data within the organization.
Step 2: Prepare record of processing activities
The second portion of this process is the most time consuming for most organizations; however, it’s crucial to follow these steps to build a foundation for the rest of your GDPR project and mitigate issues closer to the deadline.
a.) Document your enterprise business process- Create a comprehensive list of all your business processes that have any kind of relationship with personal data and collect the information required for prioritization. This will serve as a base for this project.
b.) Document your purpose of processing- Identify and document your purpose of processing activity.
c.) Assessment of risk elements- Identify the risk elements and the level of risk (check guidelines and policies around when DPIA’s required) to determine whether a data protection impact assessment (DPIA) is required. This will also be useful in determining prioritization.
d.) Capture DPIA requirements- Document the process steps to outline how to conduct impact assessments for programs, processes, and systems.
e.) Demonstrate how to complete the DPIA- Arrange workshops and trainings to demonstrate the DPIA process to the individuals who will be responsible for completing one.
f.) Demonstrate how to complete the processing activity template- Schedule these workshops to demonstrate how to use and populate the personal record inventory.
g.) Conduct DPIA for high-risk business processes- Initiate DPIAs for the high risk processes, which are prioritized based on their determined classification, criticality, and business value.
h.) Send processing activity templates to business process owners- Share these templates to be completed by the business owners and stewards as part of DPIA.
i.) Capture high-level data flows for processing activities- This includes determining which data is processed and consumed by the processing activity.
Step 3: Assess external risk
This step focuses on assessing risk with your third parties. Collect their data and business processes so they can be cataloged and documented clearly.
a.) Determine if external information systems and end-user tools are catalogued.
b.) Catalog the third parties with and without agreements- Identify and catalog the third parties that were not available in the initial inventory and notify the respective parties to collect the required attributes.
c.) Assign a legal basis to each of business processes-The legal basis will differ depending on whether you are processing special categories of data or sensitive personal data.
d.) Identify operational impact based on legal basis- Each lawful basis will have a different operational impact because it affects which data subject rights can be fulfilled and which cannot.
e.) Conduct software security assessment- Identify and document asset vulnerabilities, threats (both internal and external), etc. These factors are used to assess risk. The risk responses should then be captured and documented.
f.) Third-party risk assessment- Send a risk assessment questionnaire to the relevant third parties and collect the results.
Step 4: Document
The final step in this checklist is all about documentation. Having your policies, subjects’ rights, and remediation plans in place is a key element of GDPR compliance and establishing trust in your data, and it makes communicating this information a more seamless process, as well.
a.) Document the remediation plan for identified risks- Document the remediation plan for each of the identified risks and third parties, as well as out-of-country data transfers. Risk management processes should be established, managed, and shared with stakeholders.
b.) Identify data subject rights that apply to your business- Determine the data subject rights that apply to your business, which can be done by examining the lawful bases for processing on which you rely and listing the data subject rights that align with them.
c.) Document policies and standards- Document the processes for data subject rights, code of conduct, consent management, processing notices, procurement privacy,information security , data quality, data masking, data encryption, and retention policies.
d.) Refine the data breach management framework- This is done to accommodate the timeline (notifications are expected without undue delay and where feasible within 72 hours) for reporting (to regulators, credit agencies, law enforcement, etc.) tracking and notifying (to affected individuals) breaches, and so that you can establish a process for breach management and the channels through which they are reported. This is a very important step in building a breach response infrastructure that facilitates compliance, for quick assessment of privacy breaches, and designating the individuals responsible for coordinating reporting and notification.
GDPR is a sizable undertaking for organizations of all sizes and industries. Establishing and following a clearly defined, comprehensive plan will help you meet the compliance standards by the deadline and achieve trustworthy, scalable results.
*This document is intended for general informational and educational purposes. The above plan is only applies to Article 5,6,30,32,33,34,35, and 36. The actual sequence of activities and the number of days can vary based on organizational readiness, resource availability, and GDPR expertise. It is not offered as and do not constitute legal advice or legal opinions. Use of any Collibra product or solution does not provide or ensure any legal or other compliance certification and does not ensure that the user will be in compliance with any laws, including GDPR or any other privacy laws.
Ram is responsible for fast-tracking Collibra engagements and centralizing data governance thought leadership to influence product features.
No results for this post
© 2020 Collibra. All Rights Reserved.
A message to our Collibra community on COVID-19. Read more from our CEO.