The implementation of the General Data Protection Regulation (GDPR) is intrinsically linked to a company’s data governance program. Numerous articles have linked to the two initiatives, but none so clearly as Dennis Slattery’s recent article on LinkedIn. The analogy of a wedding between Governance and Privacy is very fitting but also highlights a key factor: a successful long-term marriage is based on strong foundations and mutual effort, or as Henry Ford put it: “Coming together is a beginning; keeping together is progress; working together is success.” So how do we make this a successful marriage?
The GDPR regulation is very clear on what needs to be done to protect the Data Citizen’s rights, but the open question most companies are facing is how to comply with the regulation and/or go beyond the minimum and make GDPR work for them.
Most discussions around how to implement GDPR today are focused on one of two approaches: top down or bottom up. I would argue that the approaches are not mutually exclusive and that a successful implementation of GDPR must be based on a combination of these complementary approaches.
In a top down approach, the GDPR team will reach out to the business to get a clear understanding of all business (data) processes that involve personal data in one way or another. For each process (think of third party credit checks, address verification, data analytics, and more) there are a number of attributes that need be clarified such as:
- Has consent been obtained for this particular process?
- What is the business purpose of the collection?
- Who is the Controller?
- Who is the Processor?
- Who is the responsible Data Protection Officer?
- What is the data retention period?
- What type of data is collected?
- And more.
This is not a one-time effort: once all process related to personal data are identified and categorized, they will need to be maintained as the organization, its infrastructure, and processes evolve over time.
The bottom up approach is more technical in nature. Companies that have already established metadata management tools can use these solutions to identify personally identifiable information (PII) and attempt to categorize these data elements and assign the relevant attributes for GDPR. This approach quickly hits a bottleneck as the same data can be used for several business purposes and hence cannot be easily classified for GDPR.
The successful GDPR implementation will combine or marry (to stick with Dennis’ analogy) the two approaches.
The first phase is for the GDPR team to analyze the data processes involving PII together with the business and subsequently catalog and maintain these processes within the data governance platform.
In a second phase, load the metadata into your data governance platform and identify the data elements relevant for GDPR. Once the data processes and the data element are identified and governed, you can link them together and easily trace which data elements are used in which business (data) process.
Identifying and categorizing the data processes and elements involving personal data is not the end game: it’s only the beginning of your GDPR journey. The regulation requires companies to implement a risk-based approach to the process. What does that mean in practice? You will need risk metrics for both the business processes and the data elements in order to identify where your higher risk of breaches are. For higher risk processes, a Data Protection Impact Assessment must be carried out. Where the risk of a breach is high, a risk-based approach requires some form of mitigation in order to lower the risk exposure. Mitigation can come in several ways, two of the most effective mitigation techniques on the technology side are pseudonymization and anonymization.
All of the above (data processes, data elements, attributes, risk metrics, mitigations, and more) will have to be governed and must be auditable at any point in time by regulators.
To achieve long-term happiness in this wedding, invest in the right solution today. Collibra delivers a best-in-class data governance solution that supports GDPR. Or as Henry Ford eloquently wrote: “working together is success.”