WIXLIB

16November2017Data Governance for GDPR Compliance:Principles, Processes, and PracticesData management policies and standards should be basedon these principles, and are impacted by a multiplicity offactors, such as business goals and strategies, IT objectivesand strategies, data types and uses, and last but not least,regulatory requirements.The remainder of this paper will focus on data governance asit applies to GDPR requirements.

17November201702Data Governance for GDPR Compliance:Principles, Processes, and PracticesGDPR datagovernanceimplicationsThe term “data governance” doesn’t appear anywhere inthe text of the GDPR articles, yet data governance bestpractices are at the heart of its mandate to protect theprivacy of personal data. An effective, well-documenteddata governance strategy helps organizations achieve andmaintain GDPR compliance by establishing clear policies,procedures, and processes for managing and securing data,including personal data.

18November2017Data Governance for GDPR Compliance:Principles, Processes, and PracticesThe GDPR was adopted in April 2016 with a two-year graceperiod; enforcement begins in May 2018. It supersedesEU Directive 95/46/EC, commonly referred to as the DataProtection Directive. As a regulation, rather than a directive,it is a binding legislative act5 that applies across the EU.In contrast, a directive only sets out goals; it is up to theindividual countries to define their own laws to achieve thosegoals, resulting in variable regulatory requirements fromcountry to country.The GDPR updates, clarifies, and expands upon the conceptsthat were addressed in the directive. In Article 3, the GDPRexpands the territorial scope of the law to apply to theprocessing of personal data by organizations established inthe EU regardless of whether it takes place within the EU. Italso applies to controllers and processors without a presencein the EU who offer goods and services to individuals in theEU or monitor their behavior (such as tracking individualsonline to create profiles via website cookies).Data governance, as it pertains to the GDPR, is a means ofprotecting the privacy of personal data. At the same timethe GDPR expands the territorial scope, it also expands thedefinition of what is considered “personal data” under theregulation. The new definition includes any data that can beused to directly or indirectly identify a person (data subject).5European Union Regulations, Directives and other acts

19November2017Data Governance for GDPR Compliance:Principles, Processes, and PracticesA “data subject” is an identified or identifiable natural person.A natural person is generally defined as an individual humanbeing; this does not include a corporation or other legalentity that may be considered a “person6” for legal purposes.“Any data” in the context of this definition refers to (but isnot limited to) information such as names, addresses, emailaddresses, IP addresses, identification numbers, biometricidentifiers (fingerprints, iris patterns, DNA), physical orphysiological attributes, occupation, location, medical/healthinformation, or even website cookies.GDPR Recital 30 addresses online identifiers that include“devices, applications, tools, and protocols, such as internetprotocol addresses, cookie identifiers, or other identifierssuch as radio frequency identification tags.” When these leavetraces that can be combined with other unique identifiers tocreate profiles of natural persons and identify them, they mayfall under the definition of personal data.6Merriam-Webster Law Dictionary

20November2017Data Governance for GDPR Compliance:Principles, Processes, and PracticesGDPR principles for processingIn Article 5, the GDPR lays out basic principles for theprocessing of personal data, and subsequent articlesprescribe specific requirements in keeping with thoseprinciples. The principles are aimed at ensuring thatpersonal data is collected lawfully, is accurate, isproperly secured, and is limited in purpose, use, andduration of storage.The GDPR principles align closely with the moregenerally accepted guiding principles for datagovernance that were discussed in Part One of thispaper.

21November2017Data Governance for GDPR Compliance:Principles, Processes, and PracticesGDPR requirements and datagovernanceThe GDPR requirements lay out specific instructionsregarding how personal data is to be collected,processed, used, and stored in keeping with theprinciples discussed above. These requirements can bedivided into four broad categories that also form thebasis for an effective data governance plan: Data discovery (identification and classification ofpersonal data) Data management (including response to therequests of data subjects) Data protection (all aspects of securing personaldata) Reporting (documentation of activities andconditions pertaining to personal data)

22November2017Data Governance for GDPR Compliance:Principles, Processes, and PracticesData discovery and managementThe ability to quickly find data and manage it effectively andefficiently are cornerstones of data governance. Chapter3 (Articles 12-23) of the GDPR addresses the rights of datasubjects. These rights include a data subject’s right toaccess their personal data and details regarding associatedprocessing activities, as well as a means to submit requestsfor data rectification, erasure, and the export of that personaldata.Having informed the data subject of their rights atcollection, an organization processing personal data willneed to facilitate the exercise of these rights by providing amethod to request enforcement of a data subject right, andprocesses and supporting technology to discover (identify)the personal data, and to manage and respond to theserequests.The right to data portability means controllers mustprovide a copy of the personal data to the data subject in acommonly used, machine-readable format. The data subjectalso has the right to transmit that data to another controllerunder certain circumstances. Data subjects have the right toobject to the processing of their personal data, and to not besubject to a decision based solely on automated processing ifthe decision significantly affects the data subject.One of the most important purposes of a data governanceplan, for organizations that are subject to the GDPR, is theprotection of these rights.

23November2017Data Governance for GDPR Compliance:Principles, Processes, and PracticesData protectionSecurity is a critical component in data governance. Article 32of the GDPR addresses the security of processing of personaldata. It applies to both controllers and processors, andmandates that they “shall implement appropriate technicaland organizational measures to ensure a level of securityappropriate to the risk.”This mandate specifically names pseudonymisation andencryption of personal data as measures that shouldbe taken when appropriate, and on a much broaderscale, further requires “the ability to ensure the ongoingconfidentiality, integrity, availability, and resilience ofprocessing systems and services.”Recognizing that regardless of the level of security, incidentsmay occur, the article goes on to specify that securitymeasures should include “the ability to restore the availabilityand access to personal data in a timely manner in the eventof a physical or technical incident.”It is not enough to have security and incident responsemeasures in place. It is also necessary to establish a processfor regularly testing and evaluating the effectiveness of thosetechnical and organizational measures.

24November2017Data Governance for GDPR Compliance:Principles, Processes, and PracticesReporting and documentationDocumentation is a vital aspect of data governance. Underthe GDPR, records must be retained to show that: Data was collected lawfully Consent (if applicable) was freely given Data subject’s rights requests were appropriatelymanaged Appropriate security measures were taken to protectpersonal data and respond to incidents Required notifications were made Data protection impact assessments (DPIAs) were carriedout (when required) A data protection officer (DPO) were designated (whenrequired)Microsoft products and services that can help customersdemonstrate compliance with these requirements will bediscussed in more detail in Part Five.

25November2017Data Governance for GDPR Compliance:Principles, Processes, and PracticesDefining roles and responsibilities underthe GDPRAt the highest level, the GDPR recognizes two importantDiscoverroles that are assumed by organizations that deal with thepersonal data that falls under its regulations: controllers andprocessors. The GDPR differentiates between the two andassigns different responsibilities to each. Chapter 1, Article 4provides precise definitions:ManageController: the natural or legal person, public authority,agency, or other body that, alone or jointly with others,determines the purposes and means of the processingof personal data; where the purposes and means of suchprocessing are determined by Union or Member State law,Protectthe controller or the specific criteria for its nomination maybe provided for by Union or Member State law.Processor: a natural or legal person, public authority,agency, or other body that processes personal data on behalfof the controller.ReportThe controller controls the processing of the personal data,whereas the processor performs the processing on thecontroller’s behalf. The same organization can act as bothcontroller and processor, or the two roles can belong to twoseparate organizations. In most cloud services relationships,the customer is the controller and the cloud services provideris the processor that carries out the processing on behalf ofthe customer.

26November2017Data Governance for GDPR Compliance:Principles, Processes, and PracticesThe data protection directive did not imposespecific and direct legal obligations on processors.The GDPR changes that and expands the scope ofthe requirements to include processors along withcontrollers.Chapter 4 (Articles 24-43) lays out the responsibilities ofcontrollers and processors in complying with the regulation,including security of processing and records of processingactivities. Security measures implement and enforce theprinciples and policies of data governance, and tracking andrecording document adherence to the data governance plan.Controllers are specifically required to demonstratecompliance with the seven principles that are listed in Article5 and discussed in the previous section. Controllers alsomust implement appropriate technical and organizationalmeasures to ensure and to be able to demonstrate thatprocessing is performed in accordance with this regulation.Those measures shall be reviewed and updated wherenecessary.

27November2017Data Governance for GDPR Compliance:Principles, Processes, and PracticesThe GDPR prohibits organizations from using third-partydata processors unless those processors guarantee bycontract their ability to implement the technical andorganizational requirements of the GDPR. As a processor,Microsoft has extensive expertise in protecting data,championing privacy, and complying with complexregulations, and is committed to GDPR compliance.Microsoft makes available the contractual guarantees7required of processors by the GDPR, including assistingits customers in responding to data subject requests tocorrect, amend, or delete personal data, detecting andreporting personal data breaches, and helping its customersdemonstrate compliance with the GDPR.In devising a data governance plan, both controllersand processors should establish policies and assignresponsibilities within their organizations for access,management, and use of personal data.Earning your trust with contractual commitments to the General DataProtection Regulation7

28November2017Data Governance for GDPR Compliance:Principles, Processes, and PracticesAssigning roles and responsibilitieswithin the organizationA successful data governance model in an enterpriseenvironment requires the cooperation of many peopleworking together across many business units and at manylevels, from the senior leadership team down to the ITimplementers and the users who create and access the data.Depending on the organization and its size and structure,data governance roles and responsibilities will involve someor all of the following levels: Executive (Typically C-level Managers) Strategic (Data Governance Council) Tactical (Data Domain Stewards, Data StewardCoordinators) Operational (Operational Data Stewards; Includes DataUsers) Support (Data Governance Partners; Includes IT,Information Security, Risk Management, and Compliance)

29November2017Data Governance for GDPR Compliance:Principles, Processes, and PracticesThe list above is based on the Data Governance Roles andResponsibilities Pyramid8. In smaller organizations, roles mayneed to be combined, with one person or a group assumingmultiple roles.Executives at the top level of the organization have ultimatedecision-making authority over the data governanceprogram and appointment of the Data Governance Councilmembers.A Data Governance Council reports to the executive leveland is responsible for coordinating and communicating datagovernance activities across organizational divisions.IT and Security roles include data classification, technicalhandling of data, securing the infrastructure, and ensuringthat projects follow data governance best practices.Data Stewards include data custodians and datasubject matter experts (SMEs). They are responsible formanagement of data and for documenting rules for data andcommunicating those rules to data stakeholders.Additional roles, depending on the organization, mayinclude data architects (who design the structure andorganization of data) and data analysts (who research andanalyzes problems with the data and data ibilities

30November2017Data Governance for GDPR Compliance:Principles, Processes, and PracticesData governance programs for small businesses willnecessarily be structured differently. The internalorganization is different from that of an enterprise,and budgets may be tighter so that there is lessfunding for formalizing a data governance program.Nonetheless, data governance is important regardlessof business size.Cloud services can help to enable small businessesto implement better data governance at lower cost,thanks to the shared responsibility model and theeconomies of scale that allow cloud providers such asMicrosoft to offer management and security measuresthat would be too costly for small organizations todeploy on their own.

31November2017Data Governance for GDPR Compliance:Principles, Processes, and PracticesAssigning roles at the technological levelFrom the IT implementation perspective, the roles ofusers and groups of users can be leveraged as a means ofcontrolling access to data and other network resources. Rolebased access control (RBAC) regulates the ability of usersin different roles to perform specific tasks. Roles are basedon job description, responsibilities and level of authority.Permissions are assigned to each role, on a need-to-know or“principle of least privilege” basis.The GDPR, in Article 25(2), imposes upon controllersthe obligation to “implement appropriate technical andorganizational measures for ensuring that, by default,only personal data which are necessary for each specificpurpose of the processing are processed.” It goes on tosay that “In particular, such measures shall ensure that bydefault personal data are not made accessible without theindividual’s intervention to an indefinite number of naturalpersons.”Microsoft products and services provide the means totechnologically enable data governance by defining userroles for access, management, and use of personal data, andto apply and enforce policies based on roles. This will bediscussed in more detail in Part Five.

32November201703Data Governance for GDPR Compliance:Principles, Processes, and PracticesBuilding blocksof a datagovernanceprogramBuilding a data governance program is based on a threepronged approach; it involves policy, processes, and people.The effectiveness of the data governance program isdependent on the planning and thought that goes into thepolicies and processes, and the selection, education, andmotivation of the people who are involved.

33November2017Data Governance for GDPR Compliance:Principles, Processes, and PracticesPolicy prioritizes the quality, integrity, andtrustworthiness of data, and the confidentiality andprivacy of personal data, as a business objective.PolicyProcessPeopleProcesses ensure the enforcement of policies throughstandardized automated or manual procedures. Thisincludes both the operations performed to accomplisha task (such as correcting an error in personal datain response to a data subject’s request) and thetechnologies that are used to carry out the operations.People, consisting of organizational leadership, IT andsecurity implementers, data stakeholders, and stewards(all of the data governance roles within an organizationthat we discussed above), are the drivers of both policyand processes, and the technologies used to implementthem.For policies and processes to work, people must beengaged. Users disregard or actively circumvent policiesthat are difficult to understand or seem unreasonable,and resist using processes that are time-consuming,have a steep learning curve, or drastically change theway they work. Smooth adoption by the people whowork with the data requires policies that make sense andhave a clear benefit, and processes that are user-friendly.

34November2017Data Governance for GDPR Compliance:Principles, Processes, and PracticesData governance policy and processes should address thefollowing broad areas: Data acquisition Data discovery (identification and classification) Data ownership and accountability Data management (including management of metadata) Data access and us

Data governance implementation Summary: Meeting the data governance challenge Appendix: Further reading and resources. A data governance plan, supported by effective technology, is a driving force to help document the basis for lawful processing. 3 Data Governance for GDPR Compliance: