General Data Protection Regulation (GDPR), and its South African equivalent, the Protection of Personal Information Act (POPIA), are often viewed as data security acts only.
However, both regulations legislate a new approach to governing personal data, focusing on principles including accountability, processing limitations, geographic and other access, data quality, as well as security.
So says Gary Alleman, MD of Master Data Management, who will be presenting on 'Accelerating your GDPR compliance effort through data governance' at ITWeb's GDPR Update 2018, to be held on 7 November at The Forum in Bryanston.
According to Alleman, companies that leverage data governance accelerators for GDPR will achieve compliance more quickly, at a lower cost, and will reap the benefits of a better understanding of their client data landscape.
He describes GDPR accelerators as predefined workflows, metrics and data management artefacts that deliver a framework and approach to achieve GDPR compliance faster.
"The use of personal data under GDPR is highly regulated, meaning that data management capabilities must be enhanced to ensure that companies know where personal data is stored, what it is being used for, and whether this is in compliance with agreed processing limitations. They also need to know who is accessing personal data and for what purpose, what the quality of the personal data is, and much more."
Alleman says accelerators combine technology and process to provide a foundation for quick and effective GDPR compliance.
Achieving compliance
Speaking of the most effective way to achieve GDPR compliance, Alleman says any approach to this must be evaluated by the legal team and legal opinions have to be accommodated.
However, Alleman believes the bulk of the effort required is in the data management efforts needed to achieve compliance.
Data governance is the foundation of GDPR.
Gary Alleman, MD of Master Data Management
Given the complexity of most corporate environments, he recommends a 'top down' approach. Begin with a process register - which business processes use personal data and for what purpose? Then decide who is responsible or accountable for data used in these processes. Next, establish which systems support these business processes, and in what geographies these systems reside.
Finally, Alleman advises companies to formalise and automate the processes for managing a breach or for completing a Data Protection Impact Assessment (DPIA).
"At this stage you should have a high-level view of accountability and ownership of personal data, usage and data flows between systems," he adds.
Businesses using a platform such as Collibra will also begin to have some idea of impact and areas of risk, for example, by tracking data flows across borders or by tracing compromised systems and data in the event of a breach.
"Organisations should then begin to add detail, such as data attributes for high-risk processes in order to refine and enhance compliance efforts," says Alleman.
Delegates attending Alleman's talk will learn how GDPR is not just a legal or compliance problem - it's about data. "Data governance is the foundation of GDPR," he concludes.
Share