We have been introducing in my previous blog article the link between data governance and GDPR compliance, it is time to put more meat on the bone.
In the context of GDPR, one of the main challenges for data controllers and data processors is to demonstrate compliance by documenting all their data processing activities and where appropriate, to assess the risk of these processes for the individuals. Such requirements cannot be achieved without being able to build an efficient data governance program combining Legal driven top-down activities through personal data compliance and IT driven bottom-up operations through personal data mapping including personal data categories definition and discovery.
How can you comply with GDPR? By applying Good Data PRactices! The question is not how to comply, but how to be compliant and remain compliant. The aim of data protection regulations such as GDPR is to change behaviors and mindsets. Taking that perspective, the accountability principle (in Article 5 of the GDPR) makes the data controller to be the one responsible for demonstrating compliance with these GDPR principles:
- Lawfulness, fairness, and transparency must exist in processes that manage personal data.
- Limitation of purpose. Personal data must be collected for specified, explicit, and legitimate purposes.
- Data minimisation. There should be no reason to use more data than necessary for the defined purpose.
- Accuracy. Data quality must be ensured and personal data be kept up-to-date.
- Storage limitation. Personal data must be processed for no longer than is necessary.
- Integrity and confidentiality. Appropriate security measures must be taken.
So how do you prove and show accountability? Under GDPR, accountability can be proven by nominating a data protection officer, drafting your privacy notice, and responding to requests (such as access requests) from individuals. However, the main action that you must take is to document internally all your processing activities, and to make this documentation available to supervisory authorities upon request. This “record of processing activities” is required by GDPR Article 30, and will facilitate the compliance with the other principles.
Data controllers must also carry out data protection impact assessments (DPIAs) when data processes could represent a high risk to individuals’ rights and freedoms, particularly when new technologies are involved. The DPIA is required by Article 35 of the GDPR, and contains information about how a new or modified application might affect the privacy of personal information processed by or stored within the application.
Remember that any large organisation has hundreds of systems, data assets, and processing activities, and thousands of personal data types to review daily, weekly, or monthly. Describing these items is a significant effort, but maintaining an up-to-date view of them is even more time-consuming and is prone to errors.
For data professionals (such as data owners, data stewards, and data controllers), the typical manual or semi-automatic steps no longer stand a chance when facing GDPR requirements.
SAS approach for Personal Data Governance
The challenges that companies face in complying with GDPR are both external (toward supervisory authorities) and internal. When supervisory authorities perform a review of a company’s data protection status, they will require a company-wide overview of all data sources and processes. And data sources aren’t just systems or databases – they include network drives, files on PCs, and everywhere else personal data can be stored!
To address this challenge, there is one fair and straightforward method: “Say what you do and do what you say,” which matches the classic data governance top-down and bottom-up analysis. Personal data governance embeds both personal data compliance and mapping efforts.“Say what you do and do what you say” #GDPR #PersonalDataCompliance Click To Tweet
Personal data compliance aims at addressing the legal requirements, mentioned previously, to document data sources, to record processing activities, and to list the potential risks of these activities. Understanding data processes outside of IT is critical to capturing risks and potential control gaps. Such activities require advanced capabilities in the areas of structured methodologies shared across the organisation, versioning, workflow for process management of approvals and reviews, and notifications. Because organisations can have thousands of data sources and hundreds of processes, relying on spreadsheets is not an option.
Personal data mapping is an approach that is proposed to facilitate the governance efforts and to significantly reduce the amount of time and effort needed to have the latest view of personal data. The location of personal data is essential information, to be as exhaustive as possible in your documentation and to show to the supervisory authority that you have established the processes needed to handle personal data. Moreover, recording the locations where personal data is stored will help your organisation easily locate the information when an individual exercise his or her rights.
Download free ebook for more support and advice from industry experts: GDPR Compliance in a Data Driven World
In the next article of this series, Bogdan Teleuca will introduce how SAS® Personal Data Compliance Manager can help organisations in recording their processing activities.