The European Union’s (EU) General Data Protection Regulation (GDPR) is changing how we think of governing the data of individuals. This regulation is a significant cultural shift concerning the data we capture about individuals. With this regulation we, the companies, no longer own the data we capture about individuals or natural persons. After the regulation is implemented on May 25, 2018 we become custodians of the individual’s data, and the individual becomes the owner of the “their” data.
This is a paradigm shift for those of us that have spent 20 years capturing, buying, and integrating customer data for targeted marketing and advertising purposes. We spent a ton of money and effort to improve customer data and customer touch-points without the acknowledgement or consent of the customer. Our objectives certainly have been to improve the interaction and services provided to our customers, as well as capture more of their disposable income.
Well, that ship has sailed for those of us doing business with an individual’s data that resides in the EU.
The great news for natural persons, both customers and employees, is that they will have more control over the exposure of their individual data. For most companies, the challenge may not be identifying the business processes in a GDPR Process Registry, but the challenge many be to find and classify the individual’s data within all the enterprise systems. Let’s be clear: this regulation is about creating and managing data. Security of the data is a great concern as always, however, the regulation is mostly concerned with governance of the life-cycle of an individual’s data.
Among many new GDPR requirements, companies will need to show that they have a business need for an individual’s data, and that the individual has given approval for the company to maintain that data. The regulation identifies rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. Of course, before you can secure your data or even before you can justify having it, you have to know what data you have, where it is, and how you use it.
Many executives in our businesses may not understand how the Business Glossary and Data Governance can provide a significant percentage of the GDPR solution. Again, GDPR is about data and the protection of that data. Data Governance processes are critical to document and govern this data. The Business Glossary is where we can capture the business processes, and classify individual data and the assets associated with our customer and employee’s personal data.
The GDPR Activities that the Business Glossary will Support
How can you achieve a GDPR solution effectively? Do you need to apply a different set of processes, people, and technology toward governing personal data? I suggest that you do not! You should be leveraging your existing Data Governance team and processes. However, we do need to focus on the specific requirements of GDPR.
To meet the GDPR requirements for the governance of personal data we can leverage a “top down,” “bottom up,” or hybrid approach for delivering the governance project. Many experts suggest that a “top down” approach is best due to the importance of the GDPR Process Registry. Documenting WHY you are maintaining personal data is a very critical requirement of GDPR. I always have said that we do not spend enough time asking why we are doing data governance activities. Yet, I don’t think all companies can start their GDPR governance activities by asking the “why” questions.
You have to ask the questions such as “why are we asking individuals to provide us this data? What is the business purpose and usage of this data? Do we have valid business usage of this data? Have we asked the individual to opt-in or provide us with this data?” I don’t know whom to present those questions to until I have a clear understanding of whom is responsible for the individual data or whom is managing the application processing the data. Thus, I suggest that we first have to find the personal data existing in our enterprise.
Step 1 – Identify the personal data do we have to govern
I believe the first step is to identify the personal data we have existing within the enterprise. For many, this will not be an easy step but must be done as expeditiously as possible. Along with identifying the data element, such as Customer Name or individual name, we should also capture the following:
- Logical name or Business Term of the data (such as customer.name)
- Database.Table.Column name (all physical instances where this column resides)
- Accountable party or business owner name
- Definition or the physical column (all physical instances where this column resides)
- Business rules that exist (all physical instances where this column resides)
- Data values that exist (all physical instances where this column resides)
- Catalog this data as GDPR private and sensitive (see your DPO or ISO policies)
- Identify this data in your business glossary as Data/IT Assets
Step 2 – Organize and define the GDPR Process Register
Many suggest this as a first step in a pure top-down governance process. I suggest that we have to define the data we have before we can ask the questions around why we have that data, as well as all the other questions to be answered to create the GDPR and Process Register. The GDPR Register is more than identifying the business processes we have. The GDPR Processes Register is specific to the processes that capture, maintain, share, distribute, and dispose of personal data. You can complete this step faster and more effectively once you know the specific personal data you have in your enterprise. The GDPR Register should be a component of your Business Glossary to provide the future change and issue management capabilities.
Step 3 – Classify the Data Assets
Now is the time to apply the top-down traditional Data Governance steps. These include the following.
- Identify and define a Business Term for each of the personal data instances you have identified in Step 1 above.
- Map or relate the Business Term and the physical Data/IT Assets.
- Ensure you have an Accountable party or Owner for each Business Term.
- Ensure that you have the necessary Governance organization, Business Data Stewards and Technical Stewards identified and engaged to define and catalog the Assets.
- Ensure you have an Authoritative Source and all physical instances of the data defined by your Business and Technical Stewards.
- Ensure that business rules, quality rules and valid values have been agreed to by the Business and Technical Stewards. GDPR has Data Quality implications.
- Develop Data Sharing Agreements that meet the requirements of GDPR.
Step 4 – Document and Map GDPR Principles to your policies
This step can be done concurrently with Step 3 given resource availability. It will be critical to map the GDPR Principles with your internal business processes and policies. This will provide an assessment of policy alignment as well as identify policy gaps that will be critical to fill for GDPR compliance. This will establish a baseline for your Data Protection Impact Assessments that are required by GDPR compliance activities.
Step 5 – Clearly define Roles and Responsibilities
To meet GDPR requirements most of us will need to clearly identify the roles of Controller and Processor activities. Most of us will function in both roles, but many of us rely on 3rd party processing activities. There are GDPR-specific requirements that need to be documented and followed. This is a great time to ensure you have the ownership and accountability needed. Ensure that the roles and responsibilities of the Data Protection Office (DPO) and Information Security Office (ISO) are included, as well as the policies established by those organizations.
Step 6 – Put Personal Data into context of its usage
We should be documenting the movement of data, data lineage, and traceability as a normal data governance practice. It is not just good enough to know how and where personal data was created. We must also know how, where, why, whom, and when personal data moves through our systems – even to 3rd parties or across country boundaries. This step should include the following:
- Tracking the policies and data sharing agreements between data owners and all usages of that data to ensure business traceability.
- Mapping the physical data movement of personal data from creation to all usages including the movement across boundaries or to 3rd parties/processors.
- Linking agreements to processing activities and the data categories involved.
- Clearly documenting the full data lineage and traceability for all personal data to all usages of that data.
Step 7 – Establish Impact Analysis Capability
This should be a best practice for all Data Governance programs, but it is a critical requirement in GDPR. I have always recommended that one of the significant values of the Business Glossary is impact assessment capabilities. The Glossary should have all data assets mapped to their usages, owners, processes, accountable and usage parties, business understanding and technical implementation. This allows for impact assessments from a policy view, a functional business view, a systems/application view, and from a reporting or usage view. For GDPR, this is known as the 72-hour notification requirement. Basically, your organization will be responsible to notify all individuals impacted by a security or data breach within 72 hours of the occurrence. Discuss the details of the GDPR requirements with your DPO and ISO teams. In case of a system or network breach you must quickly identify:
- What are the data subject categories and individual data impacted?
- What processing activities are impacted and where?
- What individual personal data has been impacted, where, and when?
The capability of impact assessments will help to meet the operational activities and data breach processes.
Step 8 – Monitor and Track compliance
Dashboards and scorecards for Data Governance metrics and the Business Glossary content should be a practice of all data governance programs. We can leverage these and enhance them to meet the specifics of GDPR compliance. We can produce a heat-map of the progress by business unit, by source application, by data subject category, by personal data tagged, or by processor (application). We need to monitor the metrics from each step as well as the risks involved. The capabilities existing in the Data Governance program can be leveraged for reporting our progress as well as the Data Protection Impact Assessments required by GDPR.
GDPR is a wonderful business use case to leverage your Business Glossary and Data Governance practices. It will not provide you with a solution to all the requirements for GDPR compliance, but it will be a significant portion of your solution. And, as always, stay calm and allow your Business Glossary to prosper!