What You Need to Know About Data Governance.

What is data governance and do you need to know about it? Here we break it down into the basics so you can make sure you do what you need to do.

Privacy Governance

So you’ve set up a privacy policy and registered with the ICO. Job done… Right? But generating your privacy policy is just the tip of the iceberg when it comes to data governance.

Data governance is, in essence, the processes you put in place to ensure your policies are put into practice.

Without it, a privacy policy is nothing more than a false promise.

Data governance is the reason why adapting policies from other businesses can cause problems.

It’s unwittingly tying you into governance processes that may not be feasible or necessary for your business to uphold.

In this article, we’ve broken down the data governance processes into a step-by-step guide to help you to keep your business safe.

Getting Started with Data Governance.

Data Mapping.

Why do You Need a Data Map?

The first thing you’ll need to produce is a data map.

Your data map is a key document in your Article 30 Records of Processing and is a key requirement of the Regulator, the Information Commissioner’s Office (ICO).

Your data map may be called upon as evidence by the ICO in the event of a claim against you.

As a result, it’s important that you carry out a thorough data mapping exercise and keep it up-to-date with regular reviews.

What is a Data Map? 

A data map provides a complete picture of how data flows in and out of your business.  The process is referred to as data mapping.

Data mapping on spreadsheets can become a nightmare

From the names and emails you collect when recruiting new staff to the addresses of the customers you send your products or services to, as well as all the services you use to operate your business…

Every aspect of personal data use in your business needs to be recorded.

All the personal data that flows as a result of your business activities must be mapped from the first touchpoint to the last. 

How To Create a Data Map?

Data mapping starts with your data processes.

The first thing to do is to list out all the data processes in your organisation.

It’s best to take a pragmatic approach to this to ensure you don’t miss any.

A good idea is to split the business into key functions such as Sales, Onboarding, Marketing, Customer Service, IT, Operations, Finance etc.

Now work through each business function methodically documenting any process in that function that uses personal data. 

It’s a good idea to invite key members of your organisation to assist in the mapping to ensure no processes are missed. 

Against your list of data processes you’ll now need to record each of the following for each of your processes:

  • the types of data used in each process 
  • the types of individuals you are processing data about
  • the nature of your relationship with the individuals
  • where the data is held
  • any third party processors (other organisations) used
  • any data transfers and the legal safeguards applicable – this relates to international transfers to other countries
  • the lawful basis for processing
  • your data retention schedule

Smart data mapping tools can help automate the documentation of your data processes, saving you time and providing one primary connected system to record, update and manage your privacy information.

The PORT.im data mapping tool makes data mapping simple and enables you to work collaboratively with your colleagues.

Data map data visualization
Data map with drag and drop simplicity

Data Governance Assessments

Depending on the nature of your processing you may be required to carry out various data governance assessments to ensure you’ve considered whether the rights of individuals are being adequately protected.

These are as follows:

Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.

You must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing.

It is also good practice to carry out a DPIA for any other major project which requires the processing of personal data.

Legitimate Interest Assessment (LIA)

A Legitimate Interest Assessment is a process for assessing and documenting the lawful basis for your processing is fair, balanced and legitimate.

An LIA is only required where a business has chosen to rely on legitimate interest as their lawful basis for processing.

There is no obligation in the UK GDPR to do an LIA, but it is best practice to conduct one if you are not sure.

Be aware that it is difficult to meet your obligations under the accountability principle without carrying out an LIA and recording it.

Privacy Principles

Privacy by Design

You are required to integrate data protection concerns into every aspect of your processing activities.

The Privacy by Design principle can be better interpreted as ‘data protection by design and by default’.

It is a key element of the privacy Regulator’s risk-based approach and its focus on accountability. I.e your ability to demonstrate how you are complying with the Regulator’s requirements.

Your DPIAs should feed into your data protection by design by principles highlighting areas of high-risk processing that may need to be designed differently.

Data Governance Processes and Workflows

Now you have a deep understanding and documentation of your data processing, you can start to implement workflows and fail-safes in your organisation.

Importantly, these will help to ensure your privacy promises are being followed through.

Here are a few key areas to consider. 

Managing Subject Access Requests (SAR)

Subject Access Requests, also known as Data Subject Access Requests, are official rights requests made by data subject.

Therefore, it is imperative these requests are dealt with promptly and taken seriously.

Failure to meet an individual’s legitimate rights request within the 31 days allocated by the ICO can result in fines or penalties for your organisation.  

For this reason, it is recommended to set up a dedicated line of communication such as dataprivacy@yourcompany.com to ensure requests are not missed.

There is now a growing trend to build rights request forms into your organisation’s website or privacy centre.

Your rights requests can then feed directly into a workflow behind the scenes to ensure requests are tracked through to completion.

Reviewing Your Data Processes

Just like your business your data processing is likely to evolve over time.

Data processing reviews are designed to flag any changes to processing so they can be dealt with compliantly.

This may require carrying out further DPIA’s as well as updates to your privacy policies and data maps and Article 30 Records of Processing.

Smart privacy management platforms can offer effective ways of updating documentation across your organisation easily. 

Reviewing the Accuracy of Your Data

As a data controller, you are responsible for maintaining the accuracy of your data.

In essence, this means putting processes in place to systematically check the accuracy of your data where possible.

Some businesses will send out emails to confirm individuals details or provide self-serve portals for them to update their information themselves.

Choose a regular interval to review your data.

Select an interval that seems reasonable for your business considering the frequency, scale and nature of your data processing. 

Reviewing Your Data Protection

Data protection is another important responsibility that falls on the shoulders of the business.

Using data maps and data flows you should assess any high-risk areas of data processing or data transfers and assess adequate levels of security and the technology to protect such data.

Employing the ICO’s data minimisation and data pseudonymisation principals where possible is another effective way of reducing your risk exposure around data protection.

In essence, if you don’t need the data, don’t collect it, and where you can pseudonymise the data you should. 

Data Governance Logs and Records

Just like an MOT building a complete picture of the checks and processes you’ve employed for data governance across your business will help protect you from the risk of penalties and fines.

Schedule and record processes for your organisation to follow and notarise key talking points that have been assessed. 

Smart privacy platforms can automatically track and log your checks and processes in your records giving you peace of mind you have everything you need when you need it if the regulator ever comes knocking.

Want to Learn More About Data Governance?

Get in touch on hello@port.im