Data Governance For GDPR Compliance: Principles, Processes .
Data Governance forGDPR Compliance:Principles, Processesand Practices
2November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesTable ofContents01What is data governance?02GDPR data governance implications03Building blocks of a data governance programme04Data governance implementationSummary: Meeting the data governance challengeAppendix: Further reading and resources
3November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesA data governanceplan, supported byeffective technology, isa driving force to helpdocument the basis forlawful processing.
4November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesExecutiveSummaryAn effective data governance strategy forms thefoundation of an organisation’s approach to protectingthe privacy of personal data under the General DataProtection Regulation (GDPR), the new data privacy lawby the European Union. Data is a valuable corporateresource, but under the GDPR personal data collectedby an organisation that pertains to customers, potentialcustomers, employees and others comes with significantresponsibilities.The GDPR strengthens existing rights and provides forrights for individuals who are in the EU to control thecollection, storage, processing and use of their personaldata. Although the text of the regulation doesn’t use theword governance, it lays out specific requirements fororganisations that control and process such data, whichfall under the umbrella of data governance.
5November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesA data governance plan, supported by effectivetechnology, is a driving force to help document thebasis for lawful processing, and define policies, rolesand responsibilities for the access, management,security and use of personal data. Today’s organisationsare data-centric; they accumulate enormous amountsof information in many different formats. Softwareapplications, systems, and databases like customerrelationship management and enterprise resourceplanning systems contain personal information aboutcustomers, potential customers, employees, membersand other individuals.This paper addresses data governance from concept toimplementation.
6November201701Data Governance for GDPR Compliance:Principles, Processes and PracticesWhat is datagovernance?Data governance refers to an overarching strategy thatencompasses the policies, processes (including technologies)and people involved in managing and protecting data.Data governance drives risk assessment, which drives thecompliance effort, which in turn develops the governanceprogramme. The three – governance, risk assessmentand compliance – must work hand-in-hand for effectivemanagement and protection of data.Data governance is a means of creating policies related todata, including how and where it is stored and sent, whohas access to it and to what level and what actions canbe performed on the data, by whom, when, using whatmethods and under what circumstances.
7November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesAn effective data governance programme must be bothproactive and reactive. It is designed to protect the dataand prevent any unauthorised access or exposure, but alsocontains a response plan that can be put in place quickly if anincident occurs.Note: “Data governance” and “data management” aresometimes used interchangeably and the two overlap inmany areas. However, governance is only one of multipleelements in a data management model.11Data Management Association International. Data Management Body of Knowledge
8November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesWhy data governance mattersThe amount of data that organisations collect and processis exploding. IDC Research predicted that the volume ofdigital data will expand at a compound annual growth rateof 42% over the decade of 2010 to 2020.2 This growth isbeing driven by an ever increasing number of sources and42%the data being generated now is more complex than ever.As the amount of data in your organisation increases, sodo the demands on your organisation to be compliant withlegal and regulatory requirements to quickly find, keep andprotect data. Spending days to find the specific protecteddata is not only expensive, it’s not an option.Growth in digital data from2010 to 2020As your business grows, staying compliant in a sea ofevolving global regulations adds new layers of complexity.Policy makers are rapidly adopting new internationalstandards, and security and privacy concerns dominate inan ever-changing global business and social landscape. Thisis a challenge for any organisation, large, medium or small.Microsoft products and services can help you to addressthese challenges.2EE Times. Digital Data Storage is Undergoing Mind-Boggling Growth
9November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesHow data governance facilitatescompliance effortsA data governance programme applies to many differenttypes of data. Data can be classified in many different ways.Effective data governance involves classifying data accordingto security requirements. The data that is collected, used andstored by most organisations can be divided into a numberof different categories based on the required security level.The GDPR focuses on personal data. It also addresses specialcategories of personal data, also referred to as sensitivedata. This is personal data that contains information aboutthe data subject’s racial or ethnic origins, political opinions,religious or philosophical beliefs, physical or mental health,sex life, genetic and biometric data or membership in a tradeunion. It also includes information regarding criminal historyand criminal court proceedings against a data subject.Additional specific conditions must be met for the processingof these special categories of personal data.
10November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesPersonal data is protected by the GDPR. Its disclosure couldsubject the data subject to substantial risk of loss of privacyas well as criminal victimisation (e.g. identity theft). Allpersonal data should be protected by the highest levels ofsecurity.An important goal of a data governance programme isto protect the needs of data stakeholders – individuals orgroups who could affect or be affected by the data. Theseinclude those who create data, those who use data andthose who set rules and requirements for data. The focus inthis paper is on protecting the privacy, confidentiality andintegrity of the personal data of EU citizens to help complywith the GDPR.
11November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesSteps to establish a data governanceprogrammeProcesses and technologies can differ from one organisationto another, as do implementation details, but the basic stepsto establish a data governance programme are the same:AssignImplementDetermine who will develop, implement andmanage the data governance programme and theroles, responsibilities and scope of authority of eachand the permissions required for each role to carryout its responsibilities.Put in place policies, procedures and processes(automated and/or manual) to enforce the rules.PlanTrack the status of rule enforcement on an ongoingbasis.Identify your requirements based on regulatoryand legal mandates, business best practices andorganisational policies.AssessDecideEstablish rules to help meet those requirements.MonitorEvaluate the success of your data governanceprogramme and make changes when necessary toincrease its effectiveness.
12November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesAll organisations that deal with important data of any kindneed a data governance plan, but in the context of GDPRcompliance, there are some very specific requirements thatThe assignment ofroles is one of themost importantelements of datagovernance.fall under data governance. We will address those specificsin Part Two.The assignment of roles is one of the most importantelements of data governance; as with any task, choosingthe right person for the job can make the differencebetween success and failure. We will discuss the rolesand responsibilities associated with data governancein Part Three.Each of the steps can include multiple parts. For example,implementation will involve research to determine theappropriate technologies for rule enforcement, and thentesting of those products and services to ensure that theyare adequate, and then integration into your organisation’senvironment. We will discuss those sub-steps in more detailin Part Four.
13November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesMake data governance easierOrganisations today perform the steps discussed abovemanually, but the future of data governance will take theburden off of individuals in the organisation and leveragemachine learning to automate many of the processes andbring the information overload under control.An intelligent, secure, enterprise-grade cloud that can betrusted lightens the overhead for administrators and usersalike and allows you to focus more on your business and lesson the details of compliance.Microsoft cloud services empower you to find relevantinformation quickly and make informed decisions throughautomation. By leveraging these data insights, organisationscan stay compliant and reduce risk. You keep what’simportant and leave behind what’s redundant, obsolete ortrivial automatically, so that the high-value content that isimportant to your business is efficiently protected for as longas you need it to be.
14November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesShared responsibility for datagovernance in the cloudCloud computing can make data governance easierby giving organisations one centralised location forstoring their data instead of having it spread acrossmany different storage media. In addition, top cloudproviders have the resources and expertise to applythe strongest available security measures. Microsoftimplements advanced data protection and securityfeatures in its cloud services to safeguard data andprivacy.Storing and processing data in the cloud also createsa model of shared responsibility3 for security andcompliance in general and for data governance inparticular. Cloud providers must implement and beaccountable for measures to control physical accessto data that is stored in and moves to and from theirdata centres, access to subscriptions and physicalresource management and tracking. The division ofresponsibilities differs depending on the cloud model(IaaS, PaaS or SaaS).3Shared Responsibilities for Cloud Computing
15November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesMicrosoft applies best practices to the operation of its cloudservices and provides customers with options and tools forsecuring the virtual machines, applications and data thatthey run and store in the cloud. Because documentation isan important element in compliance, Microsoft providescustomers with information regarding how their data ishandled and protected in the cloud, as well as tools forapplying additional security measures, such as enablingencryption in those cases where it isn’t applied by default.Guiding principles for data governanceThere is more to data governance than processes andpractices. It’s important to keep in mind the guidingprinciples on which data governance is founded. Theseinclude: ewardshipStandardisationChange management4The Data Governance Institute. Goals and Principles for Data Governance
16November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesData management policies and standards should be basedon these principles, and are impacted by a multiplicity offactors, such as business goals and strategies, IT objectivesand strategies, data types and uses and last but not least,regulatory requirements.The remainder of this paper will focus on data governance asit applies to GDPR requirements.
17November201702Data Governance for GDPR Compliance:Principles, Processes and PracticesGDPR datagovernanceimplicationsThe term “data governance” doesn’t appear anywhere inthe text of the GDPR articles, yet data governance bestpractices are at the heart of its mandate to protect theprivacy of personal data. An effective, well-documenteddata governance strategy helps organisations to achieveand maintain GDPR compliance by establishing clear policies,procedures and processes for managing and securing data,including personal data.
18November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesThe GDPR was adopted in April 2016 with a two-year graceperiod; enforcement begins in May 2018. It supersedesEU Directive 95/46/EC, commonly referred to as the DataProtection Directive. As a regulation, rather than a directive,it is a binding legislative act5 that applies across the EU.In contrast, a directive only sets out goals; it is up to theindividual countries to define their own laws to achieve thosegoals, resulting in variable regulatory requirements fromcountry to country.The GDPR updates, clarifies and expands upon the conceptsthat were addressed in the directive. In Article 3, the GDPRexpands the territorial scope of the law to apply to theprocessing of personal data by organisations established inthe EU regardless of whether it takes place within the EU. Italso applies to controllers and processors without a presencein the EU who offer goods and services to individuals in theEU or monitor their behaviour (such as tracking individualsonline to create profiles via website cookies).Data governance, as it pertains to the GDPR, is a means ofprotecting the privacy of personal data. At the same timethe GDPR expands the territorial scope, it also expands thedefinition of what is considered “personal data” under theregulation. The new definition includes any data that can beused to directly or indirectly identify a person (data subject).5European Union Regulations, Directives and other acts
19November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesA “data subject” is an identified or identifiable natural person.A natural person is generally defined as an individual humanbeing; this does not include a corporation or other legalentity that may be considered a “person”6 for legal purposes.“Any data” in the context of this definition refers to (but isnot limited to) information such as names, addresses, emailaddresses, IP addresses, identification numbers, biometricidentifiers (fingerprints, iris patterns, DNA), physical orphysiological attributes, occupation, location, medical/healthinformation or even website cookies.GDPR Recital 30 addresses online identifiers that include“devices, applications, tools, and protocols, such as internetprotocol addresses, cookie identifiers or other identifierssuch as radio frequency identification tags.” When these leavetraces that can be combined with other unique identifiers tocreate profiles of natural persons and identify them, they mayfall under the definition of personal data.6Merriam-Webster Law Dictionary
20November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesGDPR principles for processingIn Article 5, the GDPR lays out basic principles for theprocessing of personal data and subsequent articlesprescribe specific requirements in keeping with thoseprinciples. The principles are aimed at ensuring thatpersonal data is collected lawfully, is accurate, isproperly secured and is limited in purpose, use andduration of storage.The GDPR principles align closely with the moregenerally accepted guiding principles for datagovernance that were discussed in Part One ofthis paper.
21November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesGDPR requirements and datagovernanceThe GDPR requirements lay out specific instructionsregarding how personal data is to be collected,processed, used and stored in keeping with theprinciples discussed above. These requirements can bedivided into four broad categories that also form thebasis for an effective data governance plan: Data discovery (identification and classification ofpersonal data) Data management (including response to therequests of data subjects) Data protection (all aspects of securing personaldata) Reporting (documentation of activities andconditions pertaining to personal data)
22November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesData discovery and managementThe ability to quickly find data and manage it effectively andefficiently are cornerstones of data governance. Chapter3 (Articles 12-23) of the GDPR addresses the rights of datasubjects. These rights include a data subject’s right toaccess their personal data and details regarding associatedprocessing activities, as well as a means to submit requestsfor data rectification, erasure and the export of thatpersonal data.Having informed the data subject of their rights atcollection, an organisation processing personal data willneed to facilitate the exercise of these rights by providinga method to request enforcement of a data subject right,and processes and supporting technology to discover(identify) the personal data and to manage and respondto these requests.The right to data portability means controllers mustprovide a copy of the personal data to the data subject in acommonly used, machine-readable format. The data subjectalso has the right to transmit that data to another controllerunder certain circumstances. Data subjects have the right toobject to the processing of their personal data and to not besubject to a decision based solely on automated processing ifthe decision significantly affects the data subject.One of the most important purposes of a data governanceplan, for organisations that are subject to the GDPR, is theprotection of these rights.
23November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesData protectionSecurity is a critical component in data governance. Article 32of the GDPR addresses the security of processing of personaldata. It applies to both controllers and processors, andmandates that they, “shall implement appropriate technicaland organisational measures to ensure a level of securityappropriate to the risk.”This mandate specifically names pseudonymisation andencryption of personal data as measures that shouldbe taken when appropriate, and on a much broaderscale, further requires “the ability to ensure the ongoingconfidentiality, integrity, availability and resilience ofprocessing systems and services.”Recognising that regardless of the level of security,incidents may occur, the article goes on to specify thatsecurity measures should include, “the ability to restore theavailability and access to personal data in a timely mannerin the event of a physical or technical incident.”It is not enough to have security and incident responsemeasures in place. It is also necessary to establish a processfor regularly testing and evaluating the effectiveness of thosetechnical and organisational measures.
24November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesReporting and documentationDocumentation is a vital aspect of data governance. Underthe GDPR, records must be retained to show that: Data was collected lawfully Consent (if applicable) was freely given Data subject’s rights requests were appropriatelymanaged Appropriate security measures were taken to protectpersonal data and respond to incidents Required notifications were made Data protection impact assessments (DPIAs) were carriedout (when required) A data p
and resources Data Governance for GDPR Compliance: Principles, Processes and Practices November 2017 43 This white paper provides an overview of data governance as it pertains to the GDPR, and how Microsoft services and products can help implement a data governance programme. Data governance is a broad topic and GDPR compliance is a complicated .
Data governance implementation Summary: Meeting the data governance challenge Appendix: Further reading and resources 2. A data governance plan, supported by effective technology, is a driving force to help document the basis for lawful processing. 3 Data Governance for GDPR Compliance:
Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original
to what to expect in a federal law. European Union: GDPR On May 25, 2018, the European Union implemented the General Data Protection Regulation (GDPR), which was designed to standardize how companies and enti-ties process and use personal data. EU GDPR 2016/679. Significantly, the GDPR is designed to simultaneously protect EU
SQL Server and Azure SQL Database 3 GDPR Guidance Disclaimer This white paper is a commentary on the General Data Protection Regulation (GDPR), as Microsoft interprets it, as of the date of publication. We’ve spent a lot of time with GDPR and like to think we’ve been thoughtful about its
The GDPR Compliance Workbook for HR 5 Step 2: Review and audit all personal data To fully comply with GDPR, HR needs to inventory all the employee data it manages, especially personal data, such as birth dates, social security numbers, passport numbers, etc. This includes data on current employees as well as past employees, applicants, and any
List of documents for EU GDPR & ISO 27001 Integrated Documentation Toolkit ver 1.0 from 2017-11-20 Page 4 of 7 No. Document code Document name Relevant articles in GDPR / clauses in ISO 27001 Mandatory according to GDPR Mandatory according to ISO 27001 A.9.3.1, A.9.4.1, A.9.4
The General Data Protection Regulation ("GDPR") comes into force on 25 May 2018 and has wide-reaching implications for businesses. Critically, fines under the GDPR will be significant - regulators may now fine companies up to EUR 20 million or 4% of global turnover for non-compliance. As a result, business data privacy compliance will raise issues similar to anti-corruption .
m.a. (public administration) part-i (semester system) sessions: 2020-21 scheme of studies semester-i core papers credits paper-i: administrative theory 5(4l 1t) paper-ii: rural local government in india 5(4l 1t) paper-iii: public personnel administration 5(4l 1t) elective papers paper-iv: a. financial administration 5(4l 1t) semester-ii core papers credits paper-i: indian administration 5(4l .
