Data governance is not an old concept; at SAS we have been pitching data governance benefits for years. However, it is often seen as something that is nice to have, even though it is a recognized method for mitigating risk, increasing operational efficiency, and enabling innovation. This is the first blog post in a series of four where our experts Vincent Rejany and Bogdan Teleuca will go through the steps of how to build an efficient data governance program.
As of this writing, GDPR is live. Something that couldn’t be missed. This is not only having an impact across the European Union, but it is also having a global impact on all organisations that deal with the information of EU citizens.
The objective of the regulation is to give citizens more control over their data and to create a uniform set of rules to enforce across the continent. The main priority for organisations will be to show accountability by regaining control of their data processes, especially the processes and reasons for collecting, processing, updating, archiving, and deleting personal data records. To achieve such a task, being able to size the effort and discover the type and location of personal data is essential. Such a perspective is a key element for addressing data protection impact assessment when one process represents a high risk to the rights and freedoms of individuals.
GDPR breathes data governance and calls for discipline, integrity, and trust. “In the middle of difficulty lies opportunities” said Albert Einstein, so GDPR should be embraced as an opportunity to create value for your business, to gain a competitive edge, to innovate, to reinvent the way you manage your customer relationship, and to start doing more with personal data. Knowing the information that you hold, its quality, the reason that you hold it, and the length of time you can retain it is key in terms of operational efficiency. Organisations that support this idea of transparency will gain one competitive advantage by differentiating themselves in the market.
With my colleague Bogdan Teleuca and the SAS Data Management community, we have been working on the data governance components of the regulation and how our software can support our customers in their compliance journey.
Through a series of articles Bogdan and I will present how to build an efficient data governance program combining legal driven top-down activities through personal data compliance and IT driven bottom-up operations through personal data mapping including personal data categories definition and discovery. But let’s start with the most important.
What is personal Data?
Personal data is any information that enables one person to be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, but also to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Different pieces of information, which collected together can lead to the identification of a person, also constitute personal data. These are examples of personal data:
- name and surname
- home address
- email address such as firstname.lastname@example.org
- identification card number such as VISA, American Express, or a loyalty card
- location data
- network identifiers such as IP addresses, even if they are dynamic
- cookie ID
- advertising identifier of your phone
Personal data that has been rendered anonymous in such a way that the individual is not or is no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.For data to be truly anonymised, the anonymisation must be irreversible. #GDPR #compliance Click To Tweet
The regulation also defines the concept of special categories of data, for which specific safeguards and requirements are specified, such as a higher level of consent. These special categories relate to personal data that are “particularly sensitive in relation to fundamental rights and freedoms” and, therefore, “merit specific protection.” These categories include data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data to uniquely identify a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Now that this definition is clear, stay tuned for the next article, where we will explain why data governance is so important for complying with GDPR.
For more support on discovering data governance benefits, download this free ebook: GDPR Compliance in a Data Driven World