[GDPR Step 01] How to Develop Policies, Standards, and Controls
Data governance is not a recent concept. Organizations have been structuring, protecting, and analyzing their data for years. Many heavily regulated industries, such as financial services or life sciences, started their data governance efforts to address compliance challenges, for example to comply with BCBS 239, Solvency 2 or HIPAA. With the introduction of the General Data Protection Regulation (GDPR) and other data privacy regulations around the globe, most enterprises—no matter the size or industry—need to establish data governance best practices.
What is the GDPR?
The GDPR, introduced by the European Union (EU), applies to the processing of personal data of all data subjects, including customers, employees, and prospects. After a two-year transition period, it went into effect on May 25, 2018.
GDPR applies to data subjects in the EU, even when data is processed by organizations operating in outside jurisdictions like the United States, Asia Pacific, Middle East, and Africa. Non-compliance with the GDPR may result in huge fines of €20M or four percent of the organization’s worldwide revenues, whichever is higher.
The purpose of the GDPR is to create better data protection policies and to hold the organizations that handle personal data more accountable. Using a detailed list of 99 articles, the GDPR lays out a set of rules with which organizations need to be compliant. Together, these articles warrant that organizations handle personal data with sensitivity, protect it, control data quality, and ensure that the data subjects are aware of how it’s used.
But the transition isn’t easy. The new processes have to be systemic and self-serving rather than ad hoc, manual, and intrusive. If your organization is affected by the GDPR, we have a comprehensive and structured 16-step plan to achieve GDPR compliance.
Step 1 of the plan is to develop relevant policies that strengthen the data governance program.
Develop Policies, Standards, and Controls
Every organization needs to draft policies that would tie directly or indirectly to the GDPR articles. These cover various disciplines including data ownership, privacy, access, protection, security, metadata management, and data quality management. Some questions to address include:
- What is personal data? Where is it processed and why? Where does it come from and where does it go?
- How to track opt-in?
- How to restrict the processing of personal data?
- Who can access this data and how is that access tracked and traced?
- How to mask or delete the data when consent was not captured or when retention delay has expired?
- Is this data really needed or is it optional?
Unless there is a reason to process such tasks manually, the goal is to automate each of these policies in some form in the IT systems.
Talend’s platform and its suite of products offer a simplified way to implement this. Below are a few sample GDPR controls and the corresponding Talend tools that facilitate their implementation.
GDPR Article 6: Lawfulness of Processing
Article 6 of the GDPR requires that there be appropriate sign-offs by legal and compliance departments during the “design phase” of any new project that requires the processing of personal data.
GDPR Article 7: Conditions for Consent
Consent refers to explicit customer opt-in, indicating a willingness to share personal information. This is a critical aspect of GDPR compliance, and it’s essential for organizations to provide evidence that consent was obtained. This can no longer be a subtext, and there has to be traceability to indicate when and how (phone, email, etc.) the consent was received. If customers chose to partially opt-in, that needs to be recorded as well.
GDPR Article 9: Processing of Special Categories
Special categories refer to personal data such as race, ethnic origin, or political opinions. GDPR expects that such special parameters be identified as critical data elements (CDE). As per Article 9, legal and compliance departments need to sign off on usage of special categories right at the “design phase” of a project.
GDPR Article 11: Processing Not Allowing Identification
Providing anonymity to the data subject in the form of data masking is an important pillar of data protection and security (Article 11). This ensures that confidential information is not at risk of data theft. Putting together policies and standards that can make identifying a data subject difficult is critical to safeguarding anonymity. Defining unambiguous roles and responsibilities with appropriate administrative rights is another step towards restricting private data access.
GDPR Article 30: Records of Processing Activities
Article 30 of GDPR mandates a clear audit trail of sensitive data in an enterprise, including its third parties. This ensures that a data lineage exists with an exhaustive understanding of the chronology and history of the data’s lifecycle.
Tools to help you achieve this: Talend Metadata Manager
Next Steps in Developing GDPR Policies
Establishing a policy framework for data governance ensures that your critical data is under control. It drives alignment between legal, compliance, privacy, and enterprise data management teams, and ensures everyone is on the same page before getting to the next stage of implementation.
Ready to get started with Talend?
More related articles
- Pillars to GDPR Success (2 of 5): Data Capture and Integration
- Pillars to GDPR Success (4 of 5): Self-Service Curation and Certification
- Pillars to GDPR Success (3 of 5): Anonymize and Pseudonymize for Data Protection with Data Masking
- Pillars to GDPR Success (5 of 5): Data Access and Portability
- Preparing for GDPR
- [GDPR Step 14] How to Govern the Lifecycle of Information
- Pillars to GDPR Success (1 of 5): Data Classification and Lineage
- PCI DSS: Definition, 12 Requirements, and Compliance
- [GDPR Step 15] How to Set Up Data Sharing Agreements
- [GDPR Step 16] How to Enforce Compliance with Controls
- [GDPR Step 13] How to Manage End-User Computing
- [GDPR Step 11] How to Stitch Data Lineage
- [GDPR Step 09] How to Conduct Vendor Risk Assessments
- [GDPR Step 12] How to Govern Analytical Models
- [GDPR Step 10] How to Improve Data Quality
- [GDPR Step 08] How to Conduct Data Protection Impact Assessments
- [GDPR Step 07] How to Establish Data Masking Standards
- [GDPR Step 3] How to Confirm Data Owners
- [GDPR Step 06] How to Define Acceptable Use Standards for GDPR
- [GDPR Step 2] The Importance of Creating Data Taxonomy
- [GDPR Step 4] How to Identify Critical Datasets and Critical Data Elements
- What is Data Portability?
- What is Data Privacy?
- [GDPR Step 5] How to Establish Data Collection Standards