Data Governance For GDPR Compliance: Principles, Processes And Practices
Data Governance forGDPR Compliance:Principles, Processesand Practices
2November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesTable ofContents01What is data governance?02GDPR data governance implications03Building blocks of a data governance programme04Data governance implementationSummary: Meeting the data governance challengeAppendix: Further reading and resources
3November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesA data governanceplan, supported byeffective technology, isa driving force to helpdocument the basis forlawful processing.
4November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesExecutiveSummaryAn effective data governance strategy forms thefoundation of an organisation’s approach to protectingthe privacy of personal data under the General DataProtection Regulation (GDPR), the new data privacy lawby the European Union. Data is a valuable corporateresource, but under the GDPR personal data collectedby an organisation that pertains to customers, potentialcustomers, employees and others comes with significantresponsibilities.The GDPR strengthens existing rights and provides forrights for individuals who are in the EU to control thecollection, storage, processing and use of their personaldata. Although the text of the regulation doesn’t use theword governance, it lays out specific requirements fororganisations that control and process such data, whichfall under the umbrella of data governance.
5November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesA data governance plan, supported by effectivetechnology, is a driving force to help document thebasis for lawful processing, and define policies, rolesand responsibilities for the access, management,security and use of personal data. Today’s organisationsare data-centric; they accumulate enormous amountsof information in many different formats. Softwareapplications, systems, and databases like customerrelationship management and enterprise resourceplanning systems contain personal information aboutcustomers, potential customers, employees, membersand other individuals.This paper addresses data governance from concept toimplementation.
6November201701Data Governance for GDPR Compliance:Principles, Processes and PracticesWhat is datagovernance?Data governance refers to an overarching strategy thatencompasses the policies, processes (including technologies)and people involved in managing and protecting data.Data governance drives risk assessment, which drives thecompliance effort, which in turn develops the governanceprogramme. The three – governance, risk assessmentand compliance – must work hand-in-hand for effectivemanagement and protection of data.Data governance is a means of creating policies related todata, including how and where it is stored and sent, whohas access to it and to what level and what actions canbe performed on the data, by whom, when, using whatmethods and under what circumstances.
7November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesAn effective data governance programme must be bothproactive and reactive. It is designed to protect the dataand prevent any unauthorised access or exposure, but alsocontains a response plan that can be put in place quickly if anincident occurs.Note: “Data governance” and “data management” aresometimes used interchangeably and the two overlap inmany areas. However, governance is only one of multipleelements in a data management model.11Data Management Association International. Data Management Body of Knowledge
8November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesWhy data governance mattersThe amount of data that organisations collect and processis exploding. IDC Research predicted that the volume ofdigital data will expand at a compound annual growth rateof 42% over the decade of 2010 to 2020.2 This growth isbeing driven by an ever increasing number of sources and42%the data being generated now is more complex than ever.As the amount of data in your organisation increases, sodo the demands on your organisation to be compliant withlegal and regulatory requirements to quickly find, keep andprotect data. Spending days to find the specific protecteddata is not only expensive, it’s not an option.Growth in digital data from2010 to 2020As your business grows, staying compliant in a sea ofevolving global regulations adds new layers of complexity.Policy makers are rapidly adopting new internationalstandards, and security and privacy concerns dominate inan ever-changing global business and social landscape. Thisis a challenge for any organisation, large, medium or small.Microsoft products and services can help you to addressthese challenges.2EE Times. Digital Data Storage is Undergoing Mind-Boggling Growth
9November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesHow data governance facilitatescompliance effortsA data governance programme applies to many differenttypes of data. Data can be classified in many different ways.Effective data governance involves classifying data accordingto security requirements. The data that is collected, used andstored by most organisations can be divided into a numberof different categories based on the required security level.The GDPR focuses on personal data. It also addresses specialcategories of personal data, also referred to as sensitivedata. This is personal data that contains information aboutthe data subject’s racial or ethnic origins, political opinions,religious or philosophical beliefs, physical or mental health,sex life, genetic and biometric data or membership in a tradeunion. It also includes information regarding criminal historyand criminal court proceedings against a data subject.Additional specific conditions must be met for the processingof these special categories of personal data.
10November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesPersonal data is protected by the GDPR. Its disclosure couldsubject the data subject to substantial risk of loss of privacyas well as criminal victimisation (e.g. identity theft). Allpersonal data should be protected by the highest levels ofsecurity.An important goal of a data governance programme isto protect the needs of data stakeholders – individuals orgroups who could affect or be affected by the data. Theseinclude those who create data, those who use data andthose who set rules and requirements for data. The focus inthis paper is on protecting the privacy, confidentiality andintegrity of the personal data of EU citizens to help complywith the GDPR.
11November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesSteps to establish a data governanceprogrammeProcesses and technologies can differ from one organisationto another, as do implementation details, but the basic stepsto establish a data governance programme are the same:AssignImplementDetermine who will develop, implement andmanage the data governance programme and theroles, responsibilities and scope of authority of eachand the permissions required for each role to carryout its responsibilities.Put in place policies, procedures and processes(automated and/or manual) to enforce the rules.PlanTrack the status of rule enforcement on an ongoingbasis.Identify your requirements based on regulatoryand legal mandates, business best practices andorganisational policies.AssessDecideEstablish rules to help meet those requirements.MonitorEvaluate the success of your data governanceprogramme and make changes when necessary toincrease its effectiveness.
12November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesAll organisations that deal with important data of any kindneed a data governance plan, but in the context of GDPRcompliance, there are some very specific requirements thatThe assignment ofroles is one of themost importantelements of datagovernance.fall under data governance. We will address those specificsin Part Two.The assignment of roles is one of the most importantelements of data governance; as with any task, choosingthe right person for the job can make the differencebetween success and failure. We will discuss the rolesand responsibilities associated with data governancein Part Three.Each of the steps can include multiple parts. For example,implementation will involve research to determine theappropriate technologies for rule enforcement, and thentesting of those products and services to ensure that theyare adequate, and then integration into your organisation’senvironment. We will discuss those sub-steps in more detailin Part Four.
13November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesMake data governance easierOrganisations today perform the steps discussed abovemanually, but the future of data governance will take theburden off of individuals in the organisation and leveragemachine learning to automate many of the processes andbring the information overload under control.An intelligent, secure, enterprise-grade cloud that can betrusted lightens the overhead for administrators and usersalike and allows you to focus more on your business and lesson the details of compliance.Microsoft cloud services empower you to find relevantinformation quickly and make informed decisions throughautomation. By leveraging these data insights, organisationscan stay compliant and reduce risk. You keep what’simportant and leave behind what’s redundant, obsolete ortrivial automatically, so that the high-value content that isimportant to your business is efficiently protected for as longas you need it to be.
14November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesShared responsibility for datagovernance in the cloudCloud computing can make data governance easierby giving organisations one centralised location forstoring their data instead of having it spread acrossmany different storage media. In addition, top cloudproviders have the resources and expertise to applythe strongest available security measures. Microsoftimplements advanced data protection and securityfeatures in its cloud services to safeguard data andprivacy.Storing and processing data in the cloud also createsa model of shared responsibility3 for security andcompliance in general and for data governance inparticular. Cloud providers must implement and beaccountable for measures to control physical accessto data that is stored in and moves to and from theirdata centres, access to subscriptions and physicalresource management and tracking. The division ofresponsibilities differs depending on the cloud model(IaaS, PaaS or SaaS).3Shared Responsibilities for Cloud Computing
15November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesMicrosoft applies best practices to the operation of its cloudservices and provides customers with options and tools forsecuring the virtual machines, applications and data thatthey run and store in the cloud. Because documentation isan important element in compliance, Microsoft providescustomers with information regarding how their data ishandled and protected in the cloud, as well as tools forapplying additional security measures, such as enablingencryption in those cases where it isn’t applied by default.Guiding principles for data governanceThere is more to data governance than processes andpractices. It’s important to keep in mind the guidingprinciples on which data governance is founded. Theseinclude: ewardshipStandardisationChange management4The Data Governance Institute. Goals and Principles for Data Governance
16November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesData management policies and standards should be basedon these principles, and are impacted by a multiplicity offactors, such as business goals and strategies, IT objectivesand strategies, data types and uses and last but not least,regulatory requirements.The remainder of this paper will focus on data governance asit applies to GDPR requirements.
17November201702Data Governance for GDPR Compliance:Principles, Processes and PracticesGDPR datagovernanceimplicationsThe term “data governance” doesn’t appear anywhere inthe text of the GDPR articles, yet data governance bestpractices are at the heart of its mandate to protect theprivacy of personal data. An effective, well-documenteddata governance strategy helps organisations to achieveand maintain GDPR compliance by establishing clear policies,procedures and processes for managing and securing data,including personal data.
18November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesThe GDPR was adopted in April 2016 with a two-year graceperiod; enforcement begins in May 2018. It supersedesEU Directive 95/46/EC, commonly referred to as the DataProtection Directive. As a regulation, rather than a directive,it is a binding legislative act5 that applies across the EU.In contrast, a directive only sets out goals; it is up to theindividual countries to define their own laws to achieve thosegoals, resulting in variable regulatory requirements fromcountry to country.The GDPR updates, clarifies and expands upon the conceptsthat were addressed in the directive. In Article 3, the GDPRexpands the territorial scope of the law to apply to theprocessing of personal data by organisations established inthe EU regardless of whether it takes place within the EU. Italso applies to controllers and processors without a presencein the EU who offer goods and services to individuals in theEU or monitor their behaviour (such as tracking individualsonline to create profiles via website cookies).Data governance, as it pertains to the GDPR, is a means ofprotecting the privacy of personal data. At the same timethe GDPR expands the territorial scope, it also expands thedefinition of what is considered “personal data” under theregulation. The new definition includes any data that can beused to directly or indirectly identify a person (data subject).5European Union Regulations, Directives and other acts
19November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesA “data subject” is an identified or identifiable natural person.A natural person is generally defined as an individual humanbeing; this does not include a corporation or other legalentity that may be considered a “person”6 for legal purposes.“Any data” in the context of this definition refers to (but isnot limited to) information such as names, addresses, emailaddresses, IP addresses, identification numbers, biometricidentifiers (fingerprints, iris patterns, DNA), physical orphysiological attributes, occupation, location, medical/healthinformation or even website cookies.GDPR Recital 30 addresses online identifiers that include“devices, applications, tools, and protocols, such as internetprotocol addresses, cookie identifiers or other identifierssuch as radio frequency identification tags.” When these leavetraces that can be combined with other unique identifiers tocreate profiles of natural persons and identify them, they mayfall under the definition of personal data.6Merriam-Webster Law Dictionary
20November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesGDPR principles for processingIn Article 5, the GDPR lays out basic principles for theprocessing of personal data and subsequent articlesprescribe specific requirements in keeping with thoseprinciples. The principles are aimed at ensuring thatpersonal data is collected lawfully, is accurate, isproperly secured and is limited in purpose, use andduration of storage.The GDPR principles align closely with the moregenerally accepted guiding principles for datagovernance that were discussed in Part One ofthis paper.
21November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesGDPR requirements and datagovernanceThe GDPR requirements lay out specific instructionsregarding how personal data is to be collected,processed, used and stored in keeping with theprinciples discussed above. These requirements can bedivided into four broad categories that also form thebasis for an effective data governance plan: Data discovery (identification and classification ofpersonal data) Data management (including response to therequests of data subjects) Data protection (all aspects of securing personaldata) Reporting (documentation of activities andconditions pertaining to personal data)
22November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesData discovery and managementThe ability to quickly find data and manage it effectively andefficiently are cornerstones of data governance. Chapter3 (Articles 12-23) of the GDPR addresses the rights of datasubjects. These rights include a data subject’s right toaccess their personal data and details regarding associatedprocessing activities, as well as a means to submit requestsfor data rectification, erasure and the export of thatpersonal data.Having informed the data subject of their rights atcollection, an organisation processing personal data willneed to facilitate the exercise of these rights by providinga method to request enforcement of a data subject right,and processes and supporting technology to discover(identify) the personal data and to manage and respondto these requests.The right to data portability means controllers mustprovide a copy of the personal data to the data subject in acommonly used, machine-readable format. The data subjectalso has the right to transmit that data to another controllerunder certain circumstances. Data subjects have the right toobject to the processing of their personal data and to not besubject to a decision based solely on automated processing ifthe decision significantly affects the data subject.One of the most important purposes of a data governanceplan, for organisations that are subject to the GDPR, is theprotection of these rights.
23November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesData protectionSecurity is a critical component in data governance. Article 32of the GDPR addresses the security of processing of personaldata. It applies to both controllers and processors, andmandates that they, “shall implement appropriate technicaland organisational measures to ensure a level of securityappropriate to the risk.”This mandate specifically names pseudonymisation andencryption of personal data as measures that shouldbe taken when appropriate, and on a much broaderscale, further requires “the ability to ensure the ongoingconfidentiality, integrity, availability and resilience ofprocessing systems and services.”Recognising that regardless of the level of security,incidents may occur, the article goes on to specify thatsecurity measures should include, “the ability to restore theavailability and access to personal data in a timely mannerin the event of a physical or technical incident.”It is not enough to have security and incident responsemeasures in place. It is also necessary to establish a processfor regularly testing and evaluating the effectiveness of thosetechnical and organisational measures.
24November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesReporting and documentationDocumentation is a vital aspect of data governance. Underthe GDPR, records must be retained to show that: Data was collected lawfully Consent (if applicable) was freely given Data subject’s rights requests were appropriatelymanaged Appropriate security measures were taken to protectpersonal data and respond to incidents Required notifications were made Data protection impact assessments (DPIAs) were carriedout (when required) A data protection officer (DPO) were designated (whenrequired)Microsoft products and services that can help customersdemonstrate compliance with these requirements will bediscussed in more detail in Part Five.
25November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesDefining roles and responsibilities underthe GDPRAt the highest level, the GDPR recognises two importantDiscoverroles that are assumed by organisations that deal with thepersonal data that falls under its regulations: controllers andprocessors. The GDPR differentiates between the two andassigns different responsibilities to each. Chapter 1, Article 4provides precise definitions:ManageController: the natural or legal person, public authority,agency or other body that, alone or jointly with others,determines the purposes and means of the processingof personal data; where the purposes and means of suchprocessing are determined by Union or Member State law,Protectthe controller or the specific criteria for its nomination maybe provided for by Union or Member State law.Processor: a natural or legal person, public authority,agency or other body that processes personal data on behalfof the controller.ReportThe controller controls the processing of the personal data,whereas the processor performs the processing on thecontroller’s behalf. The same organisation can act as bothcontroller and processor, or the two roles can belong to twoseparate organisations. In most cloud services relationships,the customer is the controller and the cloud services provideris the processor that carries out the processing on behalf ofthe customer.
26November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesThe data protection directive did not imposespecific and direct legal obligations on processors.The GDPR changes that and expands the scope ofthe requirements to include processors along withcontrollers.Chapter 4 (Articles 24-43) lays out the responsibilities ofcontrollers and processors in complying with the regulation,including security of processing and records of processingactivities. Security measures implement and enforce theprinciples and policies of data governance, and tracking andrecording document adherence to the data governance plan.Controllers are specifically required to demonstratecompliance with the seven principles that are listed in Article5 and discussed in the previous section. Controllers mustalso implement appropriate technical and organisationalmeasures to ensure and to be able to demonstrate thatprocessing is performed in accordance with this regulation.Those measures shall be reviewed and updated wherenecessary.
27November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesThe GDPR prohibits organisations from using third-partydata processors unless those processors guarantee bycontract their ability to implement the technical andorganisational requirements of the GDPR. As a processor,Microsoft has extensive expertise in protecting data,championing privacy and complying with complexregulations, and is committed to GDPR compliance.Microsoft makes available the contractual guarantees7required of processors by the GDPR, including assistingits customers in responding to data subject requests tocorrect, amend or delete personal data, detecting andreporting personal data breaches and helping its customersdemonstrate compliance with the GDPR.In devising a data governance plan, both controllersand processors should establish policies and assignresponsibilities within their organisations for access,management and use of personal data.Earning your trust with contractual commitments to the General DataProtection Regulation7
28November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesAssigning roles and responsibilitieswithin the organisationA successful data governance model in an enterpriseenvironment requires the co-operation of many peopleworking together across many business units and at manylevels, from the senior leadership team down to the ITimplementers and the users who create and access the data.Depending on the organisation and its size and structure,data governance roles and responsibilities will involve someor all of the following levels: Executive (Typically C-level Managers) Strategic (Data Governance Council) Tactical (Data Domain Stewards, Data StewardCo-ordinators) Operational (Operational Data Stewards; IncludesData Users) Support (Data Governance Partners; Includes IT,Information Security, Risk Management and Compliance)
29November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesThe list above is based on the Data Governance Roles andResponsibilities Pyramid8. In smaller organisations, roles mayneed to be combined, with one person or a group assumingmultiple roles.Executives at the top level of the organisation have ultimatedecision-making authority over the data governanceprogramme and appointment of the Data GovernanceCouncil members.A Data Governance Council reports to the executive leveland is responsible for co-ordinating and communicating datagovernance activities across organisational divisions.IT and Security roles include data classification, technicalhandling of data, securing the infrastructure and ensuringthat projects follow data governance best practices.Data Stewards include data custodians and datasubject matter experts (SMEs). They are responsible formanagement of data and for documenting rules for data andcommunicating those rules to data stakeholders.Additional roles, depending on the organisation, mayinclude data architects (who design the structure andorganisation of data) and data analysts (who research andanalyses problems with the data and data ibilities
30November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesData governance programmes for small businesseswill necessarily be structured differently. The internalorganisation is different from that of an enterpriseand budgets may be tighter, meaning that thereis less funding for formalising a data governanceprogramme. Nonetheless, data governance isimportant regardless of business size.Cloud services can help enable small businesses toimplement better data governance at a lower cost,thanks to the shared responsibility model and theeconomies of scale that allow cloud providers such asMicrosoft to offer management and security measuresthat would be too costly for small organisations todeploy on their own.
31November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesAssigning roles at the technological levelFrom the IT implementation perspective, the roles ofusers and groups of users can be leveraged as a means ofcontrolling access to data and other network resources. Rolebased access control (RBAC) regulates the ability of usersin different roles to perform specific tasks. Roles are basedon job description, responsibilities and level of authority.Permissions are assigned to each role, on a need-to-know or“principle of least privilege” basis.The GDPR, in Article 25(2), imposes upon controllersthe obligation to “implement appropriate technical andorganisational measures for ensuring that, by default,only personal data which are necessary for each specificpurpose of the processing are processed.” It goes on tosay that, “In particular, such measures shall ensure that bydefault personal data are not made accessible without theindividual’s intervention to an indefinite number of naturalpersons.”Microsoft products and services provide the means totechnologically enable data governance by defining userroles for access, management and use of personal data, andto apply and enforce policies based on roles. This will bediscussed in more detail in Part Five.
32November201703Data Governance for GDPR Compliance:Principles, Processes and PracticesBuilding blocksof a datagovernanceprogrammeBuilding a data governance programme is based on a threepronged approach; it involves policy, processes and people.The effectiveness of the data governance programme isdependent on the planning and thought that goes into thepolicies and processes, and the selection, education andmotivation of the people who are involved.
33November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesPolicy prioritises the quality, integrity andtrustworthiness of data, and the confidentiality andprivacy of personal data, as a business objective.PolicyProcessPeopleProcesses ensure the enforcement of policies throughstandardised automated or manual procedures. Thisincludes both the operations performed to accomplisha task (such as correcting an error in personal datain response to a data subject’s request) and thetechnologies that are used to carry out the operations.People, consisting of organisational leadership, IT andsecurity implementers, data stakeholders and stewards(all of the data governance roles within an organisationthat we discussed above), are the drivers of both policyand processes and the technologies used to implementthem.For policies and processes to work, people must beengaged. Users disregard or actively circumvent policiesthat are difficult to understand or seem unreasonable,and resist using processes that are time-consuming,have a steep learning curve or drastically change theway they work. Smooth adoption by the people whowork with the data requires policies that make sense andhave a clear benefit, and processes that are user-friendly.
34November2017Data Governance for GDPR Compliance:Principles, Processes and PracticesData governance policy and processes should address thefollowing broad areas: Data acquisition Data discovery (identification and classification) Data ownership and accountability Data management (including management of metadata) Data access and usage Data protection (through file level, disk/vo
Data governance implementation Summary: Meeting the data governance challenge Appendix: Further reading and resources 2. A data governance plan, supported by effective technology, is a driving force to help document the basis for lawful processing. 3 Data Governance for GDPR Compliance:
and resources Data Governance for GDPR Compliance: Principles, Processes and Practices November 2017 43 This white paper provides an overview of data governance as it pertains to the GDPR, and how Microsoft services and products can help implement a data governance programme. Data governance is a broad topic and GDPR compliance is a complicated .
Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original
to what to expect in a federal law. European Union: GDPR On May 25, 2018, the European Union implemented the General Data Protection Regulation (GDPR), which was designed to standardize how companies and enti-ties process and use personal data. EU GDPR 2016/679. Significantly, the GDPR is designed to simultaneously protect EU
SQL Server and Azure SQL Database 3 GDPR Guidance Disclaimer This white paper is a commentary on the General Data Protection Regulation (GDPR), as Microsoft interprets it, as of the date of publication. We’ve spent a lot of time with GDPR and like to think we’ve been thoughtful about its
The GDPR Compliance Workbook for HR 5 Step 2: Review and audit all personal data To fully comply with GDPR, HR needs to inventory all the employee data it manages, especially personal data, such as birth dates, social security numbers, passport numbers, etc. This includes data on current employees as well as past employees, applicants, and any
List of documents for EU GDPR & ISO 27001 Integrated Documentation Toolkit ver 1.0 from 2017-11-20 Page 4 of 7 No. Document code Document name Relevant articles in GDPR / clauses in ISO 27001 Mandatory according to GDPR Mandatory according to ISO 27001 A.9.3.1, A.9.4.1, A.9.4
The General Data Protection Regulation ("GDPR") comes into force on 25 May 2018 and has wide-reaching implications for businesses. Critically, fines under the GDPR will be significant - regulators may now fine companies up to EUR 20 million or 4% of global turnover for non-compliance. As a result, business data privacy compliance will raise issues similar to anti-corruption .
The standards are neither curriculum nor instructional practices. While the Arizona English Language Arts Standards may be used as the basis for curriculum, they are not a curriculum. Therefore, identifying the sequence of instruction at each grade - what will be taught and for how long- requires concerted effort and attention at the local level. Curricular tools, including textbooks, are .
