Must-have data governance capabilities under GDPR
The long-awaited General Data Protection Regulation finally goes into effect this week – specifically on Friday, May 25.
After months of news coverage mostly centered on what GDPR is, who it affects, how it affects them, and the fact that many organizations are still nowhere near ready for the data privacy mandate, the discussion will now shift to how GDPR is being applied and adjusted to meet real world business scenarios.
That will raise two immediate questions. Will organizations be called out for failing to meet GDPR rules? Will there be a drumbeat of businesses coming out to inform users that their data has been inadvertently exposed or otherwise mishandled, with such notifications mandated by the new rules?
One area that hasn’t received a lot of attention (but probably will as the supervisory authorities appointed by each member state of the European Union to enforce GDPR begin conducting audits), is that of reporting.
Under GDPR, any organization handling the personal data of an EU-based individual must be prepared to demonstrate compliance during a data protection audit, which can be ordered at any time by a supervisory authority (per the investigative and corrective powers bestowed upon them by Article 58).
How should organizations respond to these requests? Article 38 requires organizations to assign a data protection officer (DPO) to ensure personal data is protected and to demonstrate compliance. This officer must not only “directly report to the highest management level” but also to users or “data subjects” themselves. (From GDPR: “Data subjects may contact the DPO with regard to all issues related to the processing of their personal data and to the exercise of their rights under this Regulation.”)
It’s hard enough for an organization to know what data it has, who’s using it, and how long it will be retained. It’s equally difficult to ensure that data remains compliant, as regulations or the data subject’s data preferences could change at any moment, though data automation tools are certainly helping them quickly get there.
Implementing proper reporting may not be as massive a task, but it certainly can be a daunting one and shouldn’t be treated as an afterthought. While GDPR calls for organizations to respond to auditor requests “in a timely manner” in one section, elsewhere it says organizations must provide verification of compliance “upon request.”
In the case of an actual personal data breach, the organization must, per Article 55, notify the supervisory authority within 72 hours. In short, it’s best to be prepared to demonstrate adherence to GDPR’s many rules as quickly as possible.
Whether you’re looking at the reporting tools included in your data governance solution or stand-alone reporting functionality, there are certain capabilities that organizations should look for in order to satisfy GDPR compliance.
First and foremost, organizations must be able to generate comprehensive reports that align with GDPR to immediately and clearly demonstrate compliance, article by article. But, the reports must be easily customizable to meet auditor requests, whatever the need.
As GDPR rolls out from theory into real world scenarios, there will be refinement in what’s actually required of companies. Also, GDPR aside, reporting requirements will differ from one regulatory body to another, so you’ll want to remain flexible.
The ability to easily search data is important for organizations and with different governance solutions available today, can make the experience as easy as online shopping.
Data consumers concerned about GDPR should be able to search for business terms and narrow their results using filters such as peer ratings, data owner, data steward, tags such as PII, data source, or data format. Data consumers should be able to drill down into glossary domains to find data related to specific categories like “GDPR Subject Identities” or navigate through directories or schemas.
An ideal GDPR solution should be pre-configured with glossary terms, pre-trained machine learning algorithms, workflows, case management capabilities, auditing reports and a dashboard.
You’ll also want to make sure comprehensive reporting is in place for internal assessments to ensure ongoing compliance before the organization is audited. This means that organizations will need to be able to dry-run their procedures for reporting and account for the time that is required to figure out how to answer a regulator or Data Subject question.
Once they ask, you’re on the clock, and time will be short so you must be able to reply in a timely manner. When a request comes in, you need to have quick access to the kind information you need to process the request and setting that up ahead of time is critical.
For example, if you are using data processors, don’t forget to factor them into the response time. If you have 72 hours to get back to the regulator (after a breach), how much of that time is gone by the time the processor comes to you?
You hired them, so you’re responsible for the end to end. Make sure your data processing agreement spells out their obligations.