GDPR and Data Governance
/With a number of my clients, I am finding that I am getting increasingly involved in their GDPR Projects as having a good Data Governance Framework helps you meet some of the requirements of GDPR.
GDPR impacts everyone who holds personal data so I thought I would ask Tejasvi Addagada to provide a useful overview of the subject:
It is imperative that the privacy needs of EU residents must be harnessed through GDPR by 25 May 2018. Moreover, GDPR necessitates coverage of private information that is processed by any organisation, across the globe. This means every organisation with global presence must embrace these privacy requirements. Regulatory landscape is fast evolving while also requiring firms with global operations to adopt the highest regulatory requirements from a region that can be leveraged as preparedness in other regions.
Privacy is not only a requirement from GDPR, but is also a major driver from an organisation’s perspective of risk. Most of the personal information collected for years now is vulnerable to threats and events of malicious theft, accidental disclosure, failure in appropriate design and usage. Today, protecting an organization’s reputation is the most significant risk management challenge. Negative publicity to a firm, will cause a decline in the customer base, reduce revenue and lead to costly litigation.
Privacy is not a new dimension that firms are planning to embrace suddenly. Most mature organisations have Information Privacy and Data Privacy clearly delineated and accounted for by stand-alone division in a firm. In my experience, I have seen Information privacy aligned with the Technology Risk function while Data privacy, as predictable, lies with Data Management and Governance. There are a couple of good articles that brief on the way forward for “Privacy as a dimension” within Data Management.
I was on a holiday this week, to Wayanad, a hill station in Kerala that boasts plush landscapes, streams and the native culture of the locals. I booked the hotel on a travel app, which for sure has collected my personal information. This data has been shared with restaurants owned by the same group that gave me offers and requested feedback for every dining experience. Sadly, the hotel doesn’t have a travel desk, but using his contacts, the desk manager fixed our local travel arrangements. Further, the Government forest division that manages the tourist destinations collected my private data for accounting and safety, at 5 destinations. In a span of 3 days I know there is redundancy and various levels of data that is collected by various organisations. When I asked the hotel on the management of the private information they were not sure on any procedures that exist today. Further, most of the data exists still exists in paper.
Most financial organisations embracing data management and governance have, for some time now, integrated Data Privacy and Security as an integral dimension. Working with these firms, I can say that they are prepared for GDPR. There is a Governance function that directs, monitors and evaluates while also enforcing accountabilities through ownership and data stewardship and ownership. On the other hand, a percentage of other organisations have some level of privacy management capabilities customised in the form of projects, for specific needs.
GDPR stress on the responsibilities, accountabilities, and evidencing the controls for privacy.
Here are ten simple steps to get started –
1) A current capability analysis must be performed to understand the people, process and technology capabilities in place to collect, process, manage privacy and security controls for Personally identifiable information of customers and employees. This will be much easier if data privacy management is already an integral dimension, embraced by a Chief Data Office.
2) The firm must draft a data privacy policy to ensure enforcement of compliance with mandatory regulatory, internal compliance, best practices, legal and ethical requirements along with the need for managing risks. These aspects must be clearly embedded into the privacy policy to provide guidance to personnel. This assists the personnel in carrying out any activity that includes private and confidential information. It is suggestable to understand the needs for privacy and options to achieve privacy management, before embarking on a full-scale implementation. Data Management Strategy must be developed to include Data Privacy management aspects leveraging current capabilities assessment. Data Management Strategy and Privacy Management must be aligned with organisational objectives. In addition, the target control environment and organisational structure for Data Privacy and Security Management must be defined including the identification of a privacy officer etc.
3) From the current capability analysis, understand the “Direct Client identifying” and “Indirect client identifying” data that is collected and processed by the firm. There is a difference between a privacy and security classification. If the firm doesn’t have classifications available it needs to engage with the risk function to baseline the levels of allowable privacy classifications. Based on the same the council and data stewards can enable the data owners to classify the data that they own.
4) It is much easier to manage the data if it is logically classified into domains based on its business characteristics like the customer domain. Likewise, employee personal data can also be classified under a human resources domain. Further, based on current need, a dataset or a sub domain can be classified as customer preferences that would make it much easier to manage data related to customer consensus like opt-in/opt-out.
5) Through Governance function, the chief data office ensures that ownership of data is aligned, data owners are accountable, stewards are made responsible for enforcement of activities related to privacy management. Further, these roles would be updated in the data glossaries and dictionaries through Metadata management. Once data ownership is enabled the existing privacy classifications for customer and the employee data can be actively managed. This also sets the context for the data owner in capturing entitlements (control requirements) across the data lifecycle. From a risk perspective, these activities play a key role in strengthening the 1st line of defence in the firm.
6) Based on the plan for implementation of controls for data privacy, projects must be sponsored and roadmaps must be put forth, perhaps timeboxed to meet regulatory timelines. Once the controls are in place, their existence along with KCIs, KRIs need to be captured as Metadata in a glossary. This strengthens the evidencing aspect of the regulation. Further, the control indicators and risk indicators must be aggregated as scorecards for reporting to board regulators.
7) The firm must embrace “Privacy by design” mainstream by having to operationalise policy in every change (projects). This ensures that every new capability or change to existing process, system or organisation structure is assessed for privacy impact, controls and best practices ensured and recorded.
8) Data privacy management must ensure that all privately classified data elements are classified, recorded for entitlements, security controls for privacy included Eg: deanonymisation, masking based on context, encryption, transfer contracts to name a few. Entitlements and controls must be recorded as Metadata in glossaries.
9) The controls for securing private data, are established at a data service level wherever applicable rather than at an application level. The divisional and governance forums ensure that the guidelines for data controls are placed for new changes and changes to existing capabilities. Once the Privacy Impact Assessments are performed, the gaps are analysed and a program focusing on establishing a control environment for such data domains is commissioned in line with the funding model. Any non-adherence to establish controls should be signed off by the governance council with adequate evidence to bypass the controls. The level of controls includes administrative (process), technical and physical controls to secure Private data.
10) Data Privacy cannot function alone and would require close integration with other dimensions including Metadata, Data Quality, lifecycle and risk management.
a. Metadata management is a major enabler to classify data into domains and assign privacy classifications.
b. The data quality function ensures that integrity of data is maintained while data privacy and security ensures that modification is being performed by designated roles. Further, the currency and accuracy of personally identifiable information must be ensured.
c. Data Lifecycle management simplifies the data landscape allowing the firm to understand - Which system or personnel or process collects a data element like tax number? Where else does tax number flow in its processing? Where is it stored, transformed, decayed? Which process or personnel or system applies tax number and for which purpose?
d. The Data risk management ensures adherence to regulatory needs including privacy assessments, risk scoring, control assessments, risk event or privacy incident reporting and escalation. It also ensures that there are policy self-assessments and identification of blanket in-flight risks along with risk evaluation and response.
Having read this article with Tejasvi you can also read my free report which reveals why companies struggle to successfully implement data governance.
Discover how to quickly get you data governance initiative on track by downloading this free report
Tejasvi Addagada is a Data Management and Governance consultant with nine years of success in assisting clients, develop and optimize data governance solutions. Tejasvi has worked with the top ten major global financial service providers by providing a wide range of services including strategy analysis, data analysis & architecting, service rationalization, digital transformation and process excellence. Tejasvi has diverse experience in the areas of consumer banking, commercial banking and capital markets. He has served as a process and domain consultant for the top ten major banks while receiving several accolades for the success achieved.
Now, he is delivering his services to a major investment management firm as a principal data consultant in the Data Governance Office. Before this stint, he has worked with two major banks in setting up and orchestrating data governance services from grass roots.
Tejasvi is an avid thought leader in the industry. He likes to connect with other thought leaders while blogging on the technological and business advances. His write ups address common challenges and opportunities that the firms need to tackle to make their way forward in the industry. Apart from that, he is an abstract painter and an art enthusiast and likes to spend time with family.
Tejasvi can be reached at tejasvichand@gmail.com