make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

How Data Governance Drives GDPR Compliance

04/27/2018  |  By: Caryn Woolley, CPA, CISA, PCI, QSA, Director of Quality Assurance and Professional Development

Share

Social Logo Social Logo Social Logo Social Logo

There are many processes you can put in place to achieve GDPR compliance, but they all point to a larger concept—data governance.

Think of it like this:

If the processes your organization puts in place are puzzle pieces, data governance is the picture on the box you look to for guidance. It’s the big picture that makes all the little pieces make sense.

So, what exactly is data governance? 

Data governance establishes an organization level control environment to govern how data is processed, used, stored, and protected. At a minimum, it encompasses the following: 

  • What information your organization processes
  • Where it’s processed
  • How it’s processed 
  • The controls in place to ensure secure processing

How Can You Implement Data Governance in Your Organization? 

First, understand what type of information your organization processes. This may seem simplistic, but it’s the starting point that will give you the most accurate picture of necessary next steps in your data governance program.

You should accomplish this step using both technical and conceptual tactics. Meaning, you should conduct a technical analysis in which you analyze all databases and information systems to determine or verify the types of information processed.

Additionally, you should conduct a conceptual analysis in which you lay out business processes to determine what information is processed, and what happens to the information in the course of business.

You want to accomplish two things during this process:

1. Classify the information.

If your goal is GDPR compliance, you’ll want to focus specifically on “personal data,” which the GDPR defines as “any information relating to an identified or identifiable natural person (‘data subject’)”. 

However, for other frameworks, you’ll also need to worry about confidential or private data, so be sure to classify all information in your system.

2. Create a data map.

In addition to knowing what type of information you process, you’ll also want to document when and where that information is processed.

The goal is to create a high-level depiction of the storage and processing of all data.

This is especially helpful when addressing Article 35, which requires performance of a data protection impact assessment (DPIA) when processing “is likely to result in a high risk to the rights and freedoms of natural persons.”

The DPIA requires “a systematic description” of processing as well as an assessment of the necessity and risks of those operations, including risk-reducing measures. Understanding what data you’re processing and how it flows through your organization will give you a head start on this requirement.

After you understand the “big picture” of when, where, and how your organization processes information, you’ll need to make sure you have the appropriate control environment in place to manage that information. Your data classifications will help drive the rigor of the controls established to protect the data. Data protection is one of the GDPR requirements. 

The GDPR also enforces strict regulations for international data transfer. Creating a data map to see where personal data is transferred will allow you to understand the safeguards currently in place and the controls you may need to implement moving forward.

Additionally, you will need to establish policies, procedures, and infrastructure to address individuals’ privacy rights.

For example, Article 15 of the GDPR allows users to request copies of their personal information or have that information deleted entirely. Do you have the infrastructure to allow ease-of-access to that information? Additionally, do you have procedures in place to define how that information is to be gathered and transferred to the requester? 

Finally, you’ll need to train personnel in the policies and procedures used to guide appropriate data management. Although you may be able to implement the correct documentation and infrastructure to assist GDPR compliance, if employees don’t know how to use those structures, they become irrelevant.

The goal of data governance is to gain control of your data—to understand exactly where it is, how it is used, and the mechanisms for maintaining its security. It provides a big-picture compliance strategy that accomplishes the little details of data management.

The GDPR is coming, and while data governance can help you understand the path to compliance, it can still be overwhelming. LBMC’s GDPR compliance services can help you analyze and classify your data as well as provide action items to prepare you for compliance. Just click here to contact us and learn how we can help you develop a GDPR-compliant control environment.