[GDPR Step 06] How to Define Acceptable Use Standards for GDPR
The General Data Protection Regulation (GDPR), introduced by the European Union, took effect on May 25, 2018. With the introduction of the GDPR, organizations will be under intense scrutiny regarding how they use the personal data of customers, employees, and prospects. Non-compliance can lead to heavy fines, so it is imperative for organizations to understand the data that they collect and use it only in the manner approved by the data subject.
Talend recently hosted an on-demand webinar, Practical Steps to GDPR Compliance, that focuses on a comprehensive, 16-step plan to put a data governance program in place that supports GDPR compliance.
“Defining Acceptable Use Standards” is Step 6 in this plan.
GDPR’s Perspective on Data Use
The GDPR clearly articulates the basis on which personal data can be used. There is a definite shift from existing standards to create a tighter framework for organizations. Here, we discuss the two core tenets relevant for acceptable data use:
Lawfulness of Processing
Article 6 of the GDPR deals with the lawfulness of processing personal data. The article discusses specific situations in which processing personal data is allowed, such as:
- The data subject has given consent.
- Processing is necessary for the performance of a contract or legal obligation.
- Processing is necessary to protect the vital interests of the data subject or of another person.
To implement this, the data governance team must establish controls to ensure any new projects that require use of personal data get sign-off from legal and compliance during the design phase. There should also be a clear listing of what these situations are, specific to the organization.
For example, if an investment bank wants to process personal data for anti-money laundering (AML) obligations, it has to be established whether this is allowed or not. Such scenarios need to be explicitly drafted and signed off.
Conditions of Consent
As per Article 7, clause 1, of the GDPR, a controller must be able to demonstrate that the data subject has consented to the processing of his or her personal data. The idea is that data should only be used if the subject consented to it, and only in the manner in which the subject intended it for use.
For example, if the subject provided consent to receive email campaigns, but not phone calls, this partial consent has to be recorded, and data used only for email campaigns.
Read more about the GDPR’s requirements for consent in Step 11.
GDPR recommends that the data governance team work with IT, legal, and compliance to establish an enterprise consent repository. This repository has to be a single inventory of all consents including those for email campaigns, cookies, and phone contacts.
Record of Processing Activities
As per Article 30, each controller shall maintain a record of processing activities under its responsibility. It should list each and every personal data processing activity together with:
- Its purpose
- Who is accountable
- A description of the categories of data subjects involved and of the categories of personal data
- The categories of recipients to whom the personal data have been or will be disclosed
- Information about potential transfers of personal data to a non european country
- Their retention time
- A description of the security measures for that data
How to Use Talend to Define Acceptable Data Use
Talend Master Data Manager (MDM), Talend Big Data, and Talend Data Quality support the creation of a GDPR data lake, where all information related to a data subject, including personal data and consents, are brought together. In the big data era, where consents can be registered in multiple sources, this data lake helps reclaim data from various sources and reconcile them.
Figure 1 shows how a Talend job reclaims opt-in data from a third party marketing system and uses Talend MDM to publish this consent information across all applications that require them. The job also leverages Talend Data Quality to reconcile data between the outsourced system and the centrally managed GDPR catalog.
Figure 1: A Talend job combines data quality, data stewardship, and big data integration in a unified, visual environment to collect, standardize, reconcile, certify, protect, and propagate personal data.
This graphical representation of a data pipeline is fully automated and can be operated in collaboration with business teams. For example, business users can participate in the definition of data controls using Data Preparation and/or in the data certification and curation process (e.g., resolving duplicates) using Talend Data Stewardship.
Talend Metadata Manager can also act as a catalog of acceptable use standards for personal data elements. For example, if a new value, such as “halal” for the attribute “meal preferences,” is being brought into the big data environment, Talend workflows can be used to obtain legal sign-offs because this field may potentially be used to determine the religious affiliation of a data subject—something that is expressly governed by Article 9 of the GDPR.
Talend MDM maintains a log of master data updates including opt-ins. In Figure 2, the log shows that consent was added to customer “Pierre Flores” on June 14, while a deeper dive into this record will provide full record lineage, demonstrating that the website was the application that collected the opt-in.
Figure 2: Talend MDM provides record level lineage, thereby providing an audit trail for opt-ins and any other data related to a data subject.
Next Steps to GDPR Compliance
Defining acceptable use standards is at the core of what the GDPR is all about—the way personal data is processed. Talend’s tools simplify this process considerably by providing automation mechanisms to understand, store, and interpret the data landscape.
The next step of the 16-step plan put together by Talend to operationalize a data governance framework for GDPR compliance is data masking. Data masking deals with techniques such as anonymization and pseudonymization to protect data.
← Step 5 | Step 7 →
More related articles
- Pillars to GDPR Success (2 of 5): Data Capture and Integration
- Pillars to GDPR Success (4 of 5): Self-Service Curation and Certification
- Pillars to GDPR Success (3 of 5): Anonymize and Pseudonymize for Data Protection with Data Masking
- Pillars to GDPR Success (5 of 5): Data Access and Portability
- Preparing for GDPR
- [GDPR Step 14] How to Govern the Lifecycle of Information
- Pillars to GDPR Success (1 of 5): Data Classification and Lineage
- [GDPR Step 15] How to Set Up Data Sharing Agreements
- [GDPR Step 16] How to Enforce Compliance with Controls
- [GDPR Step 13] How to Manage End-User Computing
- [GDPR Step 11] How to Stitch Data Lineage
- [GDPR Step 09] How to Conduct Vendor Risk Assessments
- [GDPR Step 12] How to Govern Analytical Models
- [GDPR Step 10] How to Improve Data Quality
- [GDPR Step 08] How to Conduct Data Protection Impact Assessments
- [GDPR Step 07] How to Establish Data Masking Standards
- [GDPR Step 3] How to Confirm Data Owners
- [GDPR Step 2] The Importance of Creating Data Taxonomy
- [GDPR Step 4] How to Identify Critical Datasets and Critical Data Elements
- What is Data Portability?
- [GDPR Step 01] How to Develop Policies, Standards, and Controls
- What is Data Privacy?
- [GDPR Step 5] How to Establish Data Collection Standards