What if … you had to comply with GDPR
Data compliance advice for busy data people
The General Data Protection Regulation (GDPR) is a regulation on personal data protection and privacy. It is the toughest privacy and security law in the world. GDPR purports to regulate organizations’ handling of personal data, putting customers in control of their own data processing. Organizations around the world strive to ensure their operations are compliant with GDPR regulations. At the same time, companies continue to observe explosive growth in the amount of personal data they collect, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).
In this article, we introduce the data catalog: a tool that makes GDPR compliance an easy and flawless process. After outlining GDPR regulations, we explain how data catalogs can be used strategically to facilitate compliance with GDPR requirements.
What is GDPR?
Before introducing the data protection principles, we explain the key terms one should be familiar with when dealing with the question of General Data Protection Regulation compliance.
- Personal data — Any information that relates to an identified or identifiable living individual. This includes names and e-mail addresses, but also location information, ethnicity, gender, and others.
- Data subject — An individual person whose data is processed. They are usually customers or website visitors.
- Data processor — A person or organization that deals with personal information, as instructed by a controller.
- Data controller — The person who decides why and how personal data will be processed. If you are a controller, you are responsible for complying with the GDPR — you must be able to demonstrate compliance with the data protection principles, and take appropriate technical and organizational measures to ensure your processing is carried out in line with the General Data Protection Regulation.
If you are using personal data in your company, you are expected to comply with seven protection and accountability principles outlined in Article 5.1–2:
- Lawfulness, fairness, and transparency — personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
- Purpose limitation — Personal data processing should be achieved for specified, explicit, and legitimate purposes.
- Data minimization — You should collect personal data that is adequate, relevant, and limited to what is strictly necessary for your specified purposes.
- Accuracy — You must keep personal data accurate and up to date.
- Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
- Integrity and confidentiality — You must process personal data in a manner that ensures appropriate security, integrity, and privacy.
- Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these protections
Who is subject to GDPR?
Alas, very few companies can escape complying with the privacy and security regulation. In fact, GDPR applies to:
- Any organization operating within the EU.
- Any organization outside the EU which offers goods or services to customers or businesses in the EU.
This ultimately means that almost every major corporation in the world needs a General Data Protection Regulation compliance strategy.
A data catalog makes quick work of GDPR compliance, how?
Data controllers face heavy responsibilities, which is why it is essential that they are equipped with a platform of metadata management. This is where the data catalog comes into play. Gartner, a specialized research firm, defines the notion of data catalog as follows:
“A data catalog creates and maintains an inventory of data assets through the discovery, description and organization of distributed datasets. The data catalog provides context to enable data stewards, data/business analysts, data engineers, data scientists and other data consumers to find and understand relevant datasets for the purpose of extracting business value.”.
- Gartner, Augmented Data Catalogs 2019.
The unified view of data assets provided by a data catalog allows you, to build an agile and simple system of data governance. But concretely, what does a data catalog provide, and how can it ease the burden of data governance and General Data Protection Regulation compliance?
1. Context and metadata — Description and tagging
A data catalog allows you to contextualize information, and to build a Wikipedia-like page for each data asset in the company. You will find information on the following: table and column names, last updates, owners, frequent users, dataset description, and tags.
New data catalogs, such as Castor, have abilities to propagate personal information (PII) tags or descriptions across the whole database. This helps maintain large data infrastructure documentation easier.
How does it help with GDPR compliance?The ability to contextualize information makes it easy for you to respect the purpose limitation and the fairness principles. These principles state that personal data must be processed for a specific and legitimate purpose and that your actions should match up with how it was described to your data subject. For example, under GDPR a retailer may process customer’s emails for product delivery, but not for general marketing purposes. The data catalog provides dataset description and intelligent tagging, providing clear definitions for how information can be lawfully used.The system of description and tagging is also useful when it comes to the storage limitation principle. In fact, a data catalog can identify information that shouldn’t be kept. For regulatory purposes, expiration dates are usually specified for user records. Keeping those records beyond the mandated thresholds exposes the organization to heavy fines. A data catalog avoids this by using metadata data tags to manage the lifecycle of data.
2. Data lineage
A data management software allows you to comprehend the lineage of the data — this includes the data source and the transformations applied to it.
How does it help with GDPR compliance?This feature can be used as an accountability tool. The GDPR demands from data controllers that they can demonstrate compliance with regulations. If you strive to be GDPR compliant but fail to show how, then you are not GDPR compliant, which may lead to heavy fines. Here, data governance and GDPR compliance are simplified, as a data catalog provides a graphical representation of the lineage of the data assets – providing an audit trail throughout its lifecycle. This information can also be exported to Excel, CSV, pdf, or other data format.
3. Continuous and automatic updating
A modern data catalog software updates itself automatically while allowing humans to edit it and remain in the loop.
How does it help with GDPR compliance?With this feature, you won’t have to think about respecting the accuracy principle. You can wave goodbye to the tedious process of manual cataloging. A data catalog provides continuous automatic updating, ensuring personal data is always accurate and up to date.
4. Access management
Modern data catalogs provide access management features, allowing you to restrict access to data assets. This works by granting data people specific roles, which are pre-defined collections of permissions. In practice, a user will only manage to access a dataset if he has the permission to do so.
How does it help with GDPR compliance?This feature ensures that integrity and confidentiality are respected and that personal data is processed in a manner that ensures security and privacy. As a data controller, you can easily control access to sensitive information.
5. Data usage — query history
Castor is a data management platform proposing data usage features, allowing you to see exactly who has been using the data, and which actions have been performed. This is made possible by a parser, referencing all the queries made by data people within the company.
How does it help with GDPR compliance?This is probably the most important accountability tool, ensuring that the lawfulness, fairness and transparency principles are
respected. This feature allows the data controller to track risks and security breaches. You can quickly learn whether employees have been using the data lawfully. The data controller can prove GDPR compliance flawlessly by showing query history.
Are you looking for a GDPR compliance tool?
At Castor, we are building a data documentation tool for the Notion, Figma, Slack generation.
Or data-wise for the Fivetran, Looker, Snowflake, DBT aficionados. We designed our catalog software to be easy to use, delightful and friendly.
Want to check it out? Reach out to us and we will show you a demo.
Originally published at https://www.castordoc.com on May 10, 2021.
