[GDPR Step 3] How to Confirm Data Owners
“Who owns data?” has always been a difficult question to answer. In the context of the General Data Protection Regulation (GDPR), certain questions assume more significance, such as:
- Does the data subject own it or the organization?
- Within the organization, how do we assign ownership?
- Should the ownership be single-point or collaborative?
What is Data Ownership?
Data ownership refers to the explicit assignment of owners to every data element in the taxonomy. Data owners are either individuals or teams who make decisions such as who has the right to access and edit data and how it’s used. Owners may not work with their data every day, but are responsible for overseeing and protecting a data domain.
In the context of the GDPR, data owners are accountable for the quality, integrity, and protection of their data space.
Data owners can be directly in charge of remediating issues with data, or delegate those tasks to data stewards. Data stewards work with data on a daily basis, ensuring that it’s accurate, de-duplicated, and consolidated to a single version of truth.
For example, the customer contact number, address, and email could be different in different systems. The data steward may then choose to pick the address from the ordering system, mobile number from the sales system, and email address from the marketing system.
The term “data ownership” is often confused with legal data ownership, which, as established by the GDPR, remains with the data subject. However, the context of data ownership in this article is within the organization and ownership refers to accountability.
The Importance of Assigning Data Owners
In most organizations, as data passes through different teams and systems, assigning data owners can be cumbersome. However, this is a critical step for GDPR compliance.
Here’s why assigning data owners is important:
1. Accountability — Ownership creates accountability. Since GDPR introduces many controls on personal data, assigning responsibilities ensures that data will be continuously monitored for compliance by the owners.
2. Defining policies — As they have a vested interest in the integrity of their data, owners focus on defining policies (for example retention or deletion policies) and standards that ensure the alignment of their data to the GDPR.
3. Creating trusted data — Data ownership is a key ingredient to gain customer trust and achieve measurable business benefits. Poor data could easily result in bad customer experiences and ultimately losing customers. In particular, when personal data is not reconciled into a data subject 360° view, compliance with data subject access rights, such as rights of portability or rights to be forgotten cannot be fully achieved.
4. Eliminating redundancies — As organizations strive to put the appropriate governance framework in place for GDPR, one common frustration is a loss of productivity. This issue stems from multiple teams addressing the same problem either because there isn’t a clear understanding of data or they’re not even aware that the problem has been resolved by another team. Federated ownership eliminates these painful issues.
How to Identify Data Owners: Three Questions to Ask
The mandatory introduction of a data protection officer (DPO) role by GDPR in most organizations effectively creates a master data owner. Each and every element in a data taxonomy needs an individual owner, however, and there is little likelihood that a single DPO can hold this responsibility on such a large scale. In addition, this could create a security issue. Delegation and segregation of duties are needed.
Asking the right questions helps. Once these questions have been answered, the data owner should become more clear:
1. Who is most impacted by data accuracy?
Consider an order placed by a customer in an investment bank. The customer talks to the sales person who initiates the order. The order is then passed on to the trading team, which does the actual booking of the trade. At the end of the day, the operations team performs reconciliations on these trade bookings and resolves conflicts.
Now, who is impacted if the trade data is incorrect? Perhaps, all of them. But, who is impacted the most?
2. Who has authority to decide the next step?
In this example, the sales team has to tell the customer about the problem, which risks customer trust. The reconciliation team has the responsibility to resolve issues resulting from the incorrect trade booking. The tech team deals with the IT repercussions of the incorrect trade.
However, the trading team is the one that has to take the ownership and rebook the trade with the correct details. The trading team’s core function is impacted by this wrong booking. It is also the team that has the ultimate authority to decide on the changes.
The reconciliation and tech teams may already know what the issue is, but they do not have the rights to make the decision. They may act as data stewards and eventually end up making the change, but in this scenario, the trading team owns the “trade” data.
3. Who owns the related data attributes?
Now, consider this: A trade is associated with a customer in this example. Who owns the customer details? Although, the customer is linked to the trade, the trading team certainly doesn’t own the customer information. The sales team is more likely to own this.
The flow of data through a company is complex; by repeating this process for each element, businesses get clarity on how data is used. By looking at related attributes and their ownerships, and continuing the chain of analysis, the big picture on data ownership emerges. Once the owner is assigned, it then becomes easier to enforce GDPR compliance.
Using Talend for Assigning Ownership
Talend Data Stewardship engages these data owners and data stewards within workflows with secured and auditable, role-based access controls to operationalize self-service processes. Some of these processes include: data arbitration, error resolution, and approval of data standards, as you can see below.
Figure 1: Assigning roles for collaborative arbitration, error resolution, and merging/grouping campaigns in Talend Data Stewardship
Next Steps to GDPR Compliance
After assigning ownership comes the important step of identifying critical data sets and data elements.
Ready to get started with Talend?
More related articles
- Pillars to GDPR Success (2 of 5): Data Capture and Integration
- Pillars to GDPR Success (4 of 5): Self-Service Curation and Certification
- Pillars to GDPR Success (3 of 5): Anonymize and Pseudonymize for Data Protection with Data Masking
- Pillars to GDPR Success (5 of 5): Data Access and Portability
- Preparing for GDPR
- [GDPR Step 14] How to Govern the Lifecycle of Information
- Pillars to GDPR Success (1 of 5): Data Classification and Lineage
- PCI DSS: Definition, 12 Requirements, and Compliance
- [GDPR Step 15] How to Set Up Data Sharing Agreements
- [GDPR Step 16] How to Enforce Compliance with Controls
- [GDPR Step 13] How to Manage End-User Computing
- [GDPR Step 11] How to Stitch Data Lineage
- [GDPR Step 09] How to Conduct Vendor Risk Assessments
- [GDPR Step 12] How to Govern Analytical Models
- [GDPR Step 10] How to Improve Data Quality
- [GDPR Step 08] How to Conduct Data Protection Impact Assessments
- [GDPR Step 07] How to Establish Data Masking Standards
- [GDPR Step 06] How to Define Acceptable Use Standards for GDPR
- [GDPR Step 2] The Importance of Creating Data Taxonomy
- [GDPR Step 4] How to Identify Critical Datasets and Critical Data Elements
- What is Data Portability?
- [GDPR Step 01] How to Develop Policies, Standards, and Controls
- What is Data Privacy?
- [GDPR Step 5] How to Establish Data Collection Standards