A 12 step guide to using data governance for GDPR compliance


As we’ve been discussing on this blog for some time, the “wild west” days of data are numbered. The General Data Protection Regulation (GDPR) comes into force on 25th May 2018. And that means all companies inside or outside the EU wanting to offer their products and services to clients located in Europe will need to clearly understand and answer questions like:

  • What kind of data do we collect/hold on our customers/employees?
  • Who owns this data internally?
  • What data do we share with third parties?
  • Where do we get it from?
  • What controls do we have in place?
  • What is the impact of a breach?

Both data controllers (legal entities such as a company) and data processors (e.g. a SaaS provider) are impacted. And it is not as much about protecting data as it is about protecting the rights of the data subjects – those whose data your organization is capturing.

The UK’s Information Commissioner’s Office (ICO) has provided a document with 12 steps on how to prepare for GDPR. While the ICO is the UK Data Privacy regulator, its advice is perfectly applicable to any company or institution that needs to achieve GDPR compliance and would like some guidance on where to start and what key areas to cover. Let’s look at each of the steps suggested by the ICO below, and explore why you need a data governance platform to effectively implement them.

Step 1: Awareness

What the ICO says: You should make sure that decision makers and key people in your organization are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.

How Collibra can help

Any data governance program requires adjusting the existing business culture, and implementing GDPR is no exception. While raising awareness is part of internal communications and marketing, no amount of buzz will help if the business is not happy to adopt the new practices, and does so half-heartedly. A data governance platform like Collibra is business focused and facilitates easy adoption and collaboration. We bring the relevant information to the user, through our Collibra On-the-Go mobile app and Data Governance Everywhere Windows and Office integrations.

Step 2: Information you hold

What the ICO says: You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

How Collibra can help

To address this step, you really need a data governance platform. And this is where Collibra shines. It provides a centralized inventory of personal data items across the business and technical data landscape, allowing users to find assets using full text or regular expression search.

Our user-friendly interface allows navigation of hierarchies starting with any item (including drill-down and roll-up). You can understand your data better by contextualising information and automatically linking your glossary terms to each other. For example, the words used in an asset’s definition may refer to other assets governed on the platform.

If your organization uses a single platform for governance, that sits on top of all your data silos, this ensures the latest version of centralized inventory is displayed to everyone. This, together with an audit trail of all changes made, helps build trust in your metadata and drive adoption.

Our flexible out-of-the-box Operating Model allows capturing and classifying metadata information, Business Terms into Business Glossaries, Data Elements into Data Dictionaries and then into Data Sets, the Roles and Responsibilities around all of these, defining and tracking Data Sharing Agreements, Data Activities and Data Usages plus the Principles and Policies governing it all.

Step 3: Communicating privacy information

What the ICO says: You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

How Collibra can help

A data governance platform can assist you as you put these plans in place. When mapping out your data processes in Collibra, you can include the capturing of Privacy Notices, when they are sent, to what categories of customers, and any relevant consent applicable. You can track separate privacy notices for separate groups of data subjects, and understand what formulation is required for which data subject category or private data category. Collaboration workflows can be used to involved all the relevant parts of the business in order to understand and capture all the relevant steps taking place as part of these data processes.

A data governance platform deals with all your metadata. And the GDPR regulation, your privacy notices etc. are, in effect, simply that. Collibra has partners that have already built GDPR accelerators on top of our platform, to help companies speed up their GDPR implementation (for example, making the full GDPR regulation articles available as business objects to be linked to and contextualised from).

Steps 4 & 5: Individuals’ rights & subject access requests

What the ICO says: You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

How Collibra can help:

Do you understand where data about individuals is stored across your various systems in the organization, and who touches it at each point from capturing to using it in a report? Our lineage diagrams can show you exactly that. The platform allows for searchable end-to-end traceability of personal data across the lifecycle, including process and technology architecture.

A properly implemented data governance solution can help you understand exactly what data you store about individuals and across which systems, making “right to be forgotten” and “subject access” requests a lot more manageable. This information can be easily exported to Excel, CSV, PDF or any of the commonly used data formats.

Step 6: Legal basis for processing personal data

What the ICO says: You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.

How Collibra can help:

Does this item sound a bit like data governance? That’s because it is! And a data governance platform like Collibra gives you the capability to track enforcement and compliance across the organization, to document and link business rules to policies and data quality rules, to hold evidence of local compliance and provide an audit trail.

Steps 7 & 8: Consent & Children

What the ICO says: You should review how you are seeking, obtaining and recording consent and whether you need to make any changes

You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.

How Collibra can help:

These steps specifically address the importance of technology in GDPR compliance. Using our configurable Asset Model, you can define a taxonomy of Personal Data Categories, as well as a Consent Attribute, which can then be filtered/reported on as required. The consent type (Explicit, Implicit, Guardian consent, etc.) can be linked to each data category, and data categories will then be assigned to your data processing activities.

Step 9: Data breaches

What the ICO says: You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

How Collibra can help:

While the detection of a breach is an operational activity, once the issue has been detected and flagged, the issues and exceptions management process within Collibra provides an integrated alert mechanism to notify users of actions required (e.g. data disposal, workflow approval, data issue resolution, etc.). Using our lineage diagrams, relevant impact analysis can be performed to understand which data sets and data processes are affected by the breach of a particular system/interface. Mitigation steps can also be tracked directly in Collibra, such as requesting anonymisation, pseudonimization, encryption of data sets and searching filtering by the respective flags to understand readiness and/or impact.

Step 10: Data Protection by Design and Data Protection Impact Assessments

What the ICO says: You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organization.

How Collibra can help:

As my colleague Shamma was explaining in a previous blog post, the Collibra platform enables all metadata to be linked and traced back to the systems, users, and related policies. Any new systems on-boarded will need to go through a GDPR compliance check and thereafter, companies should be ready to do a DPIA on their systems where the assessment should identify:

  • Information compliance with privacy-related legal and regulatory compliance requirements
  • Risks of collecting, processing, and sharing personal information
  • Protections and processes for handling information to alleviate any potential privacy risks.
  • Noted and regulated options for users to opt in or out of consent

Step 11: Data Protection Officers

What the ICO says: You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance arrangements.

How Collibra can help:

When you appoint a Data Protection Officer, he or she will need to keep track of their Data Register in a centralised fashion, with accountability and audit trails at the heart of the platform.

The Data Governance Center allows you to implement and track accountability using Roles and Responsibilities, Workflows and Views. You can capture Business Stewards, Data Owners, SMEs, and stakeholders. And you can rename out-of-the-box roles or configure new ones according to your needs. The DPO can configure their own dashboard, where they will can view a list of change requests/workflow tasks by user or user group (e.g. data governance council), as well as ability to track and configure data governance processes (for example data issue management, information access approval, proposal of new business terms, etc).

The Data Governance Center also supports a notification mechanism for people that change roles or leave the organization, so that the necessary processes can be initiated. The same notification mechanism can be employed to notify business asset stakeholders of any change or impact.

Step 12: International

What the ICO says: If your organization operates internationally, you should determine which data protection supervisory authority you come under. […] In case of uncertainty over which supervisory authority is the lead for your organization, it would be helpful for you to map out where your organization makes its most significant decisions about data processing.

How Collibra can help:

Using the metadata assets tabular view functionality, you can expose the owners and location for each data process, aggregate and filter based on common attributes or relationships, thereby supporting your decision with regards to where the organization makes the most significant decisions on data processing.

So this concludes our review of the ICO’s 12 steps to prepare for GDPR compliance. My aim when writing this blog was to bring the GDPR to life. To make what may seem like an abstract, distant requirement a bit more concrete. Most companies impacted by GDPR are, by now, aware of the deadline and the urgency involved. If you think you will need a company-wide collaborative effort to succeed in implementing the regulation, you are correct. If you are in the process of kicking off a GDPR compliance/data governance program, now is the right time. Remember the key requirements: you must be able to find, understand and trust your data.

And if you already have a data governance initiative with the right tools in place, and you understand the GDPR is applied data governance, then congratulations, you are ahead of the game!

More stories like this one

Nov 23, 2021 - 5 min read

Sub-Zero shares 6 lessons learned from their data transformation journey

Read more
An intricate piece of architecture conveying the concept of a data governance framework
Jan 1, 2021 - 6 min read

Creating a data governance framework

Read more
Sep 21, 2016 - 3 min read

Federated architecture: Navigating complexity with Collibra Data Intelligence...

Read more