I recently blogged about some of the actions you can take to address compliance requirements for the General Data Protection Regulation (effective in May 2018). In Part 2 of this series, I'll dig a bit deeper into personal data considerations you should keep in mind as you take steps to comply with GDPR.
The topic of GDPR came up when I was visiting with a friend of mine recently. We jotted down some thoughts about the logical series of events we felt should take place at organizations seeking to comply with this regulation. Here's what we suggest.
Assess all data stores
For a global corporation, it could take quite a while to complete the task of assessing all the data stores that may contain personal data. You may want to create a template for gathering information, or questions to ask those in charge of the data stores. When you're ready to make an action plan to address personal data considerations, you can start with the following:
- Look for interfaces in and out of the data store – document the data elements, and note where they come from or where this data is being delivered.
- If you find more data stores, note the information and move on with the current data store. Otherwise, you'll be running down rat holes for a long time.
- Gather any program names or ETL information as you review these interfaces.
- Consider all staging and temporary files used for streaming, etc.
Profile the data, examine data models, gather more information
Next, you'll want to look at all the personal data in detail to make sure you're ready to manage it properly and provide necessary reporting. You can follow the approach outlined below.
- Profile the data to make sure the column headings are really the data contained in that column in the database or file.
- Consider looking at any existing data models that may have been created about the data store.
- For example, a current data model may have definitions, and that could help direct you faster during the data profiling and gathering task.
- If (like some of my clients) you have fantastic enterprise data models, use this as a reference when looking for personal data.
- Consider placing all this information in a data store that can be queried, or look for a tool that will hold this metadata.
- Gather access information on every assessed data store.
- Gather reporting information on any data store assessed by the team. Obtain report samples if at all possible.
Personal data considerations: Next steps
The above steps are a good starting point. But there's more to think about when it comes to personal data protection and the GDPR.
- Make sure all the metadata about personal data is reportable. There may be a requirement to show this information (via audit).
- From all the information gathered, create or enhance any existing data management or governance program to address GDPR requirements.
- Enhance or create a methodology specifically for the GDPR requirements to include access and reporting of the access.
- Create or enhance ongoing maintenance and reporting/auditing of this information.
- Continue to document any new reports for GDPR. Include where these reports are in the inventory, and consider who has access to the reports and the data.
- Enhance or create a long-term incident management policy that includes procedures for issues. Include how to resolve issues, and know which members of management must be informed.
- Create corporate training for GDPR and the processes involved in maintaining, storing and documenting this information.
- Consider using tools to help with the journey or to maintain policy after the assessment in complete. While a tool may not do 100% of the work, it may help with 60% to 70% of your requirements.
- Use existing ways (tools) to profile data to help you assess all of the data stores.
- Consider employing a good project manager who understands the requirements of the EU GDPR. The team should be well versed in all things "data," and should be prepared to work very hard!
The number of personal data considerations may seem overwhelming, especially at large, global organizations. But GDPR compliance is manageable – make a good plan, then follow through.Download – The GDPR: What It Means and How SAS Data Management Can Help