With the European Union's General Data Protection Regulation in effect, organizations are not only looking at their...
immediate tasks for compliance, they are also considering a more holistic approach to data protection with a longer term strategy for data risk management.
The General Data Protection Regulation (GDPR) requires the protection of personal information with an added layer of ensuring an individual's right to be forgotten, which enables individuals to request that all of their personal information be removed from an organization's environment.
This particular right is one example of an external regulation with potentially drastic implications for data management. Not only do you need to know what data sets contain personal data, you also need to know what kind of information you have stored and whether that information is subject to either the protection requirement or the right to be forgotten.
While GDPR may be the most imminent motivation to institute some level of data protection, it won't be the last -- especially with increased scrutiny over the ways that companies like Facebook and their partners accumulate, manage and use individuals' personal data.
Steps for GDPR compliance and data risk management
Data risk management is a catchall term for the different facets of assessing and managing data protection. Data risk management is part of a more general data governance program, and it incorporates a number of key steps, including, but not limited to, the following:
Data asset surveillance. Many organizations are not even aware of the full scope of the data assets that pose a GDPR compliance risk. Perform a survey of all the data assets in your organization and document the name, location, owner -- if it's known -- and any other demographic data about the data set.
Risk assessment and severity modeling. Surveillance tells you about the assets, but does not provide any details about the content. Risk assessment scans the content of a data asset to determine if it contains any personally identifiable information (PII).
Severity modeling is a mechanism to provide a risk score to any type of inadvertent exposure or data breach.
Risk classification. This process will classify each data asset in terms of the level of sensitivity of the included PII and the risk score. The classification will determine the types of data protections that must be applied to the data asset.
Data protection and security. Different kinds of data protections can be applied. For example, the entire data asset could be stored behind a firewall, encrypted or subject to limited access, or a combination of all three. This part of a data risk management strategy includes the processes, procedures and specification of the technology needs for data protection.
Access and rights management. Different users within the organization may process PII data for different purposes and in different ways. Therefore, people with different roles in the organization will need different rights to access the data. This capability incorporates the policies and procedures to specify roles and describe the access rights for each of the roles.
Twelve data governance and discovery tool providers
- Alex Solutions
- BackOffice Associates
- Global Data Excellence
- Global IDs
Coordination with IT security and risk management. One of the more challenging aspects of instituting data security and protection in the organization is interoperating with the more general IT security, protection and risk management groups. Because the IT security organization is likely to be more established with well-defined policies and procedures, the data security and protection processes must be aligned to work with the overall security organization.
Together, these steps for GDPR compliance support the data protection requirements. For example, should an individual request that his or her information be deleted, you can consult the data asset catalog to identify any data assets that might include PII, review the risk classification and the severity risk score to filter out the data assets to be scanned for that individual's data, and then excise the individual's PII from the data asset. Add in a master data management program to create a master individual index to simplify the process of finding the data assets that contain any individual's PII.
Clearly, data risk management falls squarely within the realm of data governance -- all of the aforementioned capabilities are related to data policy definition, compliance and operationalization.
By layering the policies and processes of data risk management within the data governance framework, you can institute a general framework to protect personal information contained in existing data sets under management. You can also find a way to evaluate new regulations to identify data dependencies and how the regulations require the specification of new data policies, modifications to existing data policies, and updates to operational procedures to ensure auditable compliance.