The GDPR regulation is finally live as of May 2018! What is expected of organizations in this current state and what can be put in place to improve the posture of compliance? We will examine some important aspects below. At this stage, it is fully expected that organizations have identified and mapped the personal data they process, and built the processes required by the GDPR, such as data protection impact assessments, data subject rights. In additional, all GDPR-required elements should be mapped into their legal documentation such as privacy policies and vendor agreements.
The only way to effectively and efficiently identify and map such data is to automate the process. Data discovery and identification is a critical aspect of complying with this regulation in an effective manner. This activity is often performed as part of a Data Protection Impact Assessment (“DPIA”), another GDPR requirement (Article 35). A DPIA is the basis for demonstrating GDPR compliance; hence it must be a well-engineered process that can be repeated consistently over time.For many organizations, conducting an initial assessment across disparate heterogeneous platforms is a daunting and time-consuming exercise. Sophisticated scanners such as the Orion Enterprise Information Intelligence Graph (EIIG) can quickly examine different vendor databases, file types and even determine where and how such personal data is moving across the enterprise. In addition, the content, format, range of values, and data types must be compared in an automated fashion for similarities, differences, and compliance with data management and data security policies. If a GDPR related business glossary has been created, Orion’s Term2Asset module maps those terms into the physical data for semantic querying, and can vastly enable reporting and discovery for the business data steward. Finally, the results must be analyzed, documented, and communicated to a broad, diverse audience. Below are some steps that every organization could follow Data discovery and Identification – Automated discovery of data assets and cataloging metadata and their respective schemas, definitions, types, sizes, and inter-dependencies. Personal and Customer data tends to be spread out across relational databases, archived records in a data lake / warehouse, and Distributed File System stores (e.g., Hadoop etc.). The Orion Governance platform supports all of these disparate technologies and can harvest data automatically.
Catalog external data sources – Vendor and third party data is often collected using different business processes than internal data, and may be used to enhance personal information through record matching and additional attributes.
Automatically document data flow and lineage – Data flow of various Critical Data Elements (CDEs) within the enterprise along with lineage is essential to ascertain where customer data moves, especially the primary customer identifiers, and sensitive personally identifiable data. Examples may be CRM systems like Salesforce, home-grown or SaaS applications such as email marketing), analytics tools, and other data stores. BI and/or reporting systems also tend to contain a lot of customer information that needs to be cataloged and included in the lineage process.
Implement a metadata repository and layer – Customer and prospect data may be spread across data stores, from transaction databases to marketing systems, under your control or through SaaS applications. A metadata layer is essential to help abstract different data sets and apply the proper restrictions on personally identifiable data.
Review data retention policies – While customer data cannot be deleted without a proper process in place, reviewing the company’s data retention policies with a metadata layer in place is a whole lot easier and provides the right level of visibility into these legal and regulatory processes that are essential for every company.
The Orion Enterprise Information Intelligence Graph (EIIG) platform is purpose build to help accelerate your journey towards GDPR Compliance, mapping business terms in the GDPR Glossary automatically to scanned assets, and storing that into the metadata repository.
Contact us today at firstname.lastname@example.org to find out how you can cut short the time and effort on this long journey.