The ever-growing need for data protection and security is creating legislation in various forms throughout the world. These laws and regulations often contain strict policies for organizations that handle personal information (PI) of citizens and how that data should be handled. One of the largest efforts we’ve seen is the European Union General Data Protection Regulation (GDPR).
According to the Official EU GDPR website, GDPR was “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.” The regulation goes into effect 25 May 2018 and affects all companies with a specific European presence.
With hefty fines of up to 4% of annual global turnover or €20 Million (whichever is greater), having a resolute data governance strategy is essential. It’s important to know what data your company possesses, who it belongs to, where it’s located, how it’s used and what may impact it for GDPR compliance. So, what does that mean to your organization doing business in Europe? The new law comes down to the following big IT areas:
- Customers have the right to be forgotten – Once the law is enacted, consumers have the right to have their personal information (PI) removed from your systems. From an IT perspective, you must know where their PI has landed for easy removal.
- Data portability – This tenant gives the customer rights to transfer their personal data from one provider to another.
- Companies must understand “data flows” – For the purpose of this conversation, let’s refer to a data flow as the exchanging of data with a partner or other organization. Your IT organization must understand thoroughly those touch points. This must be documented at the field level and available for audit or threat detection.
- Consent – Companies must be able to provide proof that the customer agreed to have their data stored by your organization.
- Privacy Enhancing Technology (PET) and Privacy by Design (PbD) – In this new world of privacy as a right, you must incorporate that right into your applications and how you anonymize data, even with the data is enhanced through other sources. In other words, you may receive some basic personal information (PI) from a customer but then purchase other data that further enhances their base profile from a survey company. This is all considered PI that must be protected.
Our tools can help you achieve a GDPR compliant data governance strategy in the following ways:
Data Dictionary
DOC xPress’s Data Dictionary allows you to record responsibility for data as well as include that information in documentation through annotations and custom fields. This provides accountability for the ownership of the PI in your company’s possession.
The Data Dictionary is also useful for recording responsibility for processing stages (particularly those within SSIS) as an added level of accountability.
Documentation
Documentation for the core data is covered by the robust and customizable documentation tools within DOC xPress. DOC xPress creates documentation from SQL Server, SSAS, SSIS, SSRS, Excel, Oracle, Hive, Tableau and more and can generate documentation in a variety of formats. In addition, the documentation can be customized for different audiences, so that users only see the most relevant information for their role. This documentation is at the field level and helps clarify where personal information (PI) might be hiding in your organization.
Lineage Analysis
Being able to quickly and easily see where a piece of PI is being used allows you to make appropriate decisions on what needs to be included in an audit and why. DOC xPress’s Lineage Analysis tool helps you see where data originates and how it’s being used. With this tool, you can also identify possible data flows for sensitive data to be lost and/or leaked. Understanding the flow of data is key to ensuring that the flow is secure.
Automated Data Testing
Designing a data governance strategy should provide data protection by design and through auditing. LegiTest is an automated data-driven testing tool that can automatically test data at specified intervals to ensure validity. LegiTest also maintains appropriate records to prove test results to increase efficiency during the audit process.
DOC xPress and LegiTest are just two of the products within our popular Pragmatic Workbench. This bundles four of our most popular SQL Server tools, helping you utilize the BI stack while saving time and increasing efficiency. See how our tools can integrate into your environment and help you achieve a GDPR compliant data governance strategy:
Please consult your legal team on how this regulation may impact your company.