GDPR: Privacy risk, sensitivity, data classification

Learn how SAS can help with personal data protection.

The time has finally arrived: May 25 has passed and the EU’s General Data Protection Regulation (GDPR) has gone into effect. By now, you've likely slogged through a tsunami of emails alerting you about the changes to corporate privacy policies. Many companies have been applying what appear to be cosmetic changes to their privacy policies – yet there are deeper implications about the underlying data management impacts.

Curiously, I have a feeling that some organizations may not even realize the scope of those impacts. This past weekend, I was talking with a lawyer friend who had mentioned that his firm had modified its privacy policy to comply with GDPR. Since one of the key aspects of GDPR entails providing greater control to individuals about how a company manages their personal data (in which all individuals have the right to review, correct and even request removal of their personal data), I asked him whether his firm had instituted any of the controls and remedies necessary for complying with those aspects of the regulation. Not only did he not know; he seemed to not even be aware of those aspects of the directive.

It's a process: Enforcing data protection rights under GDPR

Adjusting the privacy policy to ensure compliance with alerting individuals about their data protection rights is a prelude to the more complex actions needed to enforce that aspect of the regulation. Supporting the ability to find all of an individual’s personal data, provide that data to the individual, allow him/her to make changes/updates, direct restrictions about the use of their data, and even have all personal data removed is much more complex – this requires a combination of data governance and a range of techniques for assessing and classifying data according to different levels of sensitivity based on identified risk.

It's a process than must scan all corporate data assets, identify whether there is personal data within the data asset, and maintain an index linking an individual’s virtual identity to all the data assets containing that individual’s personal data. In essence, those data assets must be analyzed to determine how the data asset is used, who has access to the data asset, what types of data values are stored and what types of personal data are included. However, determining that a data asset contains personal data sets the stage for additional evaluation of data sensitivity:

  • How many records (or objects) in the data asset contain personal data?
  • What is the level of sensitivity (i.e., is it name and address information, is it protected health information, or is it personal financial information)?

Finally, in addition to documenting which data assets contain which individual’s personal data, there must also be an inventory of how that personal data is being used. GDPR requires that your company disclose how personal data is used. But under certain circumstances, it allows the company to reserve the right to use or share personal data (for example, if required by law, or to protect the safety of others). These uses are acceptable, even if the individual has requested a restriction on processing and sharing.

GDPR: Much more than a privacy policy change

GDPR goes far beyond updating the data privacy policy, It involves data risk evaluation, assessment of data sensitivity, classification by levels of sensitivity, and assignment of classifications to enable operational compliance with GDPR-inspired user requests.

More concretely, there are technical demands for GDPR compliance: data profiling, taxonomies for data sensitivity, data asset cataloging, data use policy management, identity resolution, inverted entity indexes, as well as master data management. These are all needed to: uniquely identify any individual for whom personal data is managed; find all the data assets in the enterprise (and potentially shared with data processors) that contain that individual’s personal data; and then document and apply the individual’s directives regarding personal data use.

In other words, GDPR compliance only starts with changes to the privacy policy. Operationalizing those changes is complicated. If your organization hasn't already taken the steps to institute these fundamental technical changes to your data management environment, there's no time like the present.

Get an e-book with the results of our 2018 GDPR survey (and tips from the experts)

About Author

David Loshin

President, Knowledge Integrity, Inc.

David Loshin, president of Knowledge Integrity, Inc., is a recognized thought leader and expert consultant in the areas of data quality, master data management and business intelligence. David is a prolific author regarding data management best practices, via the expert channel at and numerous books, white papers, and web seminars on a variety of data management best practices. His book, Business Intelligence: The Savvy Manager’s Guide (June 2003) has been hailed as a resource allowing readers to “gain an understanding of business intelligence, business management disciplines, data warehousing and how all of the pieces work together.” His book, Master Data Management, has been endorsed by data management industry leaders, and his valuable MDM insights can be reviewed at . David is also the author of The Practitioner’s Guide to Data Quality Improvement. He can be reached at

Related Posts

Leave A Reply

Back to Top