While there are many things you will need to do later, there are some key steps you should take now to be ready. Each of these are aspects of a healthy data governance program that should be in place:
1 – Document your Data
One of the most common issues organizations face is not having a clear audit trail of what data they have and how it can be accessed. As organizations experience rapid growth, they typically trade off security and management policies for “speed to decision-making,” subsequently providing access to a wider group of people and groups, without having a clear audit trail for the flow of this information. If your organization is ever required to perform an information audit, you need to be ready to identify where and how the information came to rest in that location. This is similar to processes in the food industry, where manufacturers must be able to track the product down to the “lot level” when a recall happens.
The best way to document your data is through a Data Catalog system. There are many available on the market today that have its own unique features. Each will in various ways, address the gap present in many companies to providing the information audit. The additional advantage data cataloguing has is in the effort to democratize data in an organization. Making information available to the people who need it and performing critical and timely analytics is an essential characteristic of a data-driven company. Don’t be left behind not having your data catalogued.
2 – Refine and Document Data Access Policies
In today’s fast-paced organization, sometimes people just “need access” to get the job done. However, the risks are far too great to simply provide the access without proper justification or visibility into how the data will be used and for how long. The best way to do this is to create an audit trail of data access control data. Some data catalog products can provide this feature.
You should also identify through your data governance initiatives the process by which individual data access requests will be processed. This provides an appropriate approval/denial process for each request and documentation on what was requested.
3 – Build Compliance into your Data Design
If you are unsure of whether your current systems have enough features built-in to comply with the coming laws, consider a Privacy Impact Assessment (PIA) to ensure you do comply. While, it is outside of the scope of this blog to fully outline, the Information Commissioner’s Office (ICO) has released the Code of Practice for PIA, which includes how to perform it, as well as templates to assist in the process.
Going forward, regardless of your own organization’s requirement to meet GDPR guidelines, data should be considered, valued, and protected as the asset that it is. This Privacy Impact Assessment could prove to be a guide in achieving a level of compliance.
4 – Stewardship
Lastly, a data-healthy organization with a solid data culture and governance process in place, will ensure that data stewardship is a priority. Each area of the system should have controls and accountability to data quality and user access. This will ensure the organization is making good decisions with good data.
As an organization, you should also consider a “Data Protection Officer” (DPO) role, as someone who would be ultimately responsible for all the stewardship of data within an organization. Much like a CFO or Controller governs monetary assets, the DPO will provide the necessary oversight and accountability that organizations will need in the future.