Originally Published: May 2018; Revised: March 2020
Best Practice Scribe
Mark McQueen, EDM Council Senior Advisor-DCAM
Philip Dutton, Co-Founder, Solidatus
Executive Summary
Objectif
Le RGPD requires any business that stores and manages données personnelles on behalf of people in the Union européenne (UE) (e.g., prospects, clients, employés) to handle this information in a transparent and structured manner. The biggest misconception about RGPD is that it is only an UE jurisdiction legislation and, therefore, only requires compliance by UE businesses. The reality is that it applies globally to any organization offering goods or services to the European Union.
Recognizing the global reach and impact of the RGPD, this work provided several practical deliverables to the EDM Council member organizations.
- Create a basic understanding of the regulation and the role of the Data Management fonction to support compliance.
- Identify requirements for data and the Data Management fonction.
- Align the requirements to the EDM Council DCAM® Framework – providing a compliance roadmap specific to the Data Management fonction d'une organisation.
- Leverage member organization experience to develop best practices for the Data Management fonction to support RGPD conformité.
The concepts and analysis presented in this paper and supporting materials communicate value to all organizational stakeholders impacted by RGPD (e.g., data management professionals, business executives, executive leadership, and regulatory compliance practitioners).
Key Observations
- RGPD is not a Data Management legislation, but the Data Management control fonction is needed to support compliance with the legislation – giving the business and the personne concernée (e.g., prospects, clients, et employés) various obligations and rights around the management of données personnelles.
- Accountability for RGPD compliance is a Privacy activity. Most organizations already have a control fonction accountable for Privacy. How this is structured, and the hierarchy of the organizations varies significantly across industries. While there are some limited instances where the Privacy activity aligns with the Data Management fonction, that is not the norm.
- Le Directeur des données (CDO) and the Data Management fonction provide support to the Privacy control fonction accountable for RGPD compliance and the business units which must manage privacy within their business processus.
- If adoption of the DCAM Framework achieves an effective Data Management operating level, the foundation for supporting the data and Data Management requirements of RGPD compliance is largely in place. A challenge is the maturity and cohérence of execution across the organization because the processes and data impacted by RGPD exist in all areas of the organization that maintain personal data.
In addition to this best practice paper, the Work Groupe published a companion document that identified areas for RGPD: Best Practice Opportunities to enhance execution in the DCAM Framework. The EDM Council maintains an ongoing activity as part of the mission of the DCAM User Groupe to collect best practices aligned to the identified opportunities. The Groupe d'utilisateurs DCAM is open to all individuals affiliated with EDM Council Member organizations.
More Information
- GDPR Regulation
- DCAM – GDPR Knowledge Model– the full RGPD requirements analysis with data and Data Management Impacts, requirements, and DCAM Framework alignment.
- Using a Best Practice Article
- EDM Council & the DCAM User Group
- The Knowledge Development Process
- About the Work Group
- Membres du groupe de travail
Issue
GDPR Overview
Le Union européenne (UE) General Data Protection Regulation (GDPR) is a response to the growth of the global entreprise, technological developments, and the huge surge in the volume of data collected by organizations worldwide. The intent is to harmonize data protection legislation across the Member States, establishing a single set of UE laws regarding the processing of données personnelles. Le RGPD is the first comprehensive overhaul of Union européenne data protection rules in 20 years. It repeals and replaces Directive européenne sur la protection des données 95/46/EC and, in turn, the national transpositions of that directive at the UE Member State level. As an UE regulation, the RGPD is directly applicable in all 28 UE Member States without the need for legislation at the Member State level. The RGPD entered into force on May 25, 2016, and went live on May 25, 2018.
Le RGPD confers significant powers on regulators to investigate and enforce compliance. Non-compliance could result in a fine of up to 20 million euros or 4% of an organization’s total worldwide annual turnover (revenue), whichever is higher.
While the regulation is UE jurisdiction legislation, it applies globally to any organization offering goods or services into the Union européenne. Le RGPD requires any business that stores and manages données personnelles for people in the UE (e.g., prospects, clients, et employés) to handle this information in a transparent and structured manner.
Industry Current State
RGPD was the leading regulation to express an expanded set of data privacy requirements regarding the processing of données personnelles. In response to the new regulation, all impacted business entities began interpreting the impacts compliance with the regulation had on their business processes.
Promontory Financial Groupe served as the Regulatory subject matter expert for RGPD by sharing their interpretation of the regulation for the data practitioner members to identify requirements for data or Data Management.
RGPD went beyond any prior Data Privacy legislation globally and was viewed by many as the threshold standard, and as expected, other jurisdictions across the globe are introducing regulation patterned after RGPD. In the past two years, many jurisdictions have instituted similar Data Privacy regulations, while a large number of additional jurisdictions have draft regulations under consideration.
Below is a summary of the key provisions of RGPD, as defined by Promontory.
Summary of Key Provisions
A high-level summary of the key provisions of the RGPD aligns to the seven thematic areas below. These areas set the parameters for a more detailed analysis of the regulation in the following best practice description.
Best Practice
Parties prenantes
Le RGPD stakeholders vary in an organization depending on how they align RGPD accountability to their Control Fonction framework. This best practice assumes there is a separate control fonction accountable for RGPD that defines requirements from the Data Management control fonction to achieve RGPD conformité.
La gestion des données fonction stakeholders include:
- Executive Leadership
- Business Executives
- Regulatory Compliance Practitioners
- Data Management Practitioners (Reference: Data Management Functional Construct)
- Directeur des données
- Responsable des données
- Responsable exécutif des données
- Business Data Steward
- Technical Data Steward
- Dépositaire des données
The remainder of this best practice focuses on the activities of the Data Management Practitioners.
Portée
The scope set by the Work Groupe included a set of Design Concepts confined by the RGPD compliance requirements with impacts on data and the Data Management fonction.
| Client -Centric Business Value |
| While RGPD is a regulatory mandate, if executed effectively, there is a significant business value derived from the resulting client concentricity and enhanced client relationship. The RGPD requires a processus of interaction with a client that delivers transparency, client empowerment, efficient portability, and qualité des données. These are all opportunities to deepen the relationship and develop trust providing a positive client experience to drive profit and gain competitive advantage. Additionally, the availability of quality data enables client knowledge, cross-sell and upsell, and the opportunity to offer the right product at the right time in the client lifecycle. |
| The Role of the CDO & Data Management Fonction |
| Le CDO is NOT usually accountable for RGPD compliance; however, the CDO and the Data Management fonction still play a significant role in satisfying the RGPD. Data Management is a control fonction that needs to support the privacy control fonction accountable for RGPD compliance and the business units which must manage privacy within their business processus. The foundation for supporting the data and Data Management requirements of RGPD compliance are in place if the adoption of the DCAM Framework accomplishes and Réalisé capability level. The challenge is maturity and cohérence of execution across the organization because the processes and data impacted by RGPD exist in many areas across the organization. |
| Alignment to Organizational Ecosystem |
| RGPD requires a risk framework where all the lines of defense (1st, 2nd, and 3rd) work in concert to ensure the organization achieves the outcome of valuing and protecting client privacy and data. The Data Management fonction must facilitate the collection of requirements from across a variety of ecosystem stakeholders (e.g., Privacy, Risk, Info Security, Data Retention, Technology, AML/KYC). |
| The Role of Technology |
| RGPD requires a strategic alignment between all data stakeholders, and Information Technology (IT) solutions must be a part of the overall solution. The best efforts requirement of RGPD requires the application of appropriate technical and organizational measures. A best practice approach may include technical automation to support Data Management activities such as data identification, lineage, and métadonnées. Also, beyond standard access controls, more advanced tools may be applied for data to be encrypted, tokenized, anonymized, or pseudonymized at rest, in transit and memory. These are technology solutions to restrict who is allowed to view the data and for what purposes. |
| The Role of Données de base |
| The Work Groupe acknowledges the value of Client Master data – if client data is controlled in a single domaine de données across the organization the ability to achieve RGPD requirements are simplified and adds to the business case for the Client Master. However, there are very few, if any, instances of mature Client Master data domains. |
| Table 1: Design Concepts |
Description
Approach to Analysis
The Work Groupe approach was a logical analysis of the RGPD requirements for data and the Data Management fonction.
- Created a shared understanding of the regulatory requirements of RGPD
- Analyzed each requirement for implications for data or the Data Management fonction
- Interpreted the impacts into Data Management requirement statements
- Alignment of Data Management requirements to the DCAM Cadre
- Identify Best Practice Opportunities to provide specific guidance to support compliance with the regulation
The Analysis
Key Terms
The following are key terms that are integral to understanding the RGPD and thus are included here for reference.
- Personne concernée
- Responsable du traitement des données
- Processeur de données
- Données personnelles
- Données personnelles sensibles
GDPR Requirements for Data and
Gestion des données
The Work Groupe adopted the Promontory Table 2: RGPD Analysis Framework. The framework uses the seven Thematic Areas as introduced above and organizes the RGPD data protection requirements into 22 components, as shown below. These 22 components are the basis for the detailed analysis conducted by the Work Groupe.
| Personne concernée Rights | |
| 1.1. | Transparency and Information Rights |
| 1.2. | Right of Access |
| 1.3. | Rectification, Erasure, and Restriction of Processing |
| 1.4. | Profilage & Automated Individual Decisions |
| 1.5. | Data Portability |
| Data Handling | |
| 2.1. | Purpose Limitation & Data minimization |
| 2.2. | Qualité des données & Proportionality |
| 2.3. | Legal Basis for Processing Données personnelles |
| 2.4. | Special Categories of Data |
| 2.5. | Controller – Processor Relationship |
| 2.6. | Controller – Controller Relationship |
| 2.7. | International Data Transfers |
| Training | |
| 3.1. | Training Program |
| Accountability & Governance | |
| 4.1. | DPOs, Compliance & Mutual Assistance |
| 4.2. | Records of Processing Activities |
| Security & Confidentiality | |
| 5.1. | Security of Processing |
| 5.2. | Breach Notifications to Data Protection Authorities |
| 5.3. | Breach Notifications to Data Subjects |
| Change Management | |
| 6.1. | Data Protection by Design and by Default |
| 6.2. | Data Protection Impact Assessments |
| 6.3. | Prior Consultation |
| Assurance & Monitoring | |
| 7.1. | Audit Program |
| Table 2: RGPD Analysis Framework | |
Data & Data Management
Function Requirements
A walkthrough of each component resulted in the identification of 32 implications for data and the Data Management fonction. Further analysis of the 32 implications defined a total of 48 Data Management requirement statements.
The Work Groupe adopted the hypothesis that the RGPD requirements impacting the Data Management fonction were NOT materially unique, and, therefore, the foundation provided by the EDM Council DCAM Framework would support RGPD conformité.
Successfully mapping the 48 defined Data Management requirements to the Capabilities and Sub-capabilities defined in the DCAM Framework validated the hypothesis. The next section contains an explanation of the mapping exercise.
The Work Groupe concluded that if an organization adopts the DCAM Framework and achieves a sufficient operating level, the foundation for supporting the data and Data Management requirements of RGPD compliance is largely in place. However, a challenge is the maturity and cohérence of execution across the organization because the processes and data impacted by RGPD exist in all areas of the organization that maintain données personnelles.
DCAM Framework Alignment
Capability Alignment
The 48 RGPD Data Management requirement statements mapped to the DCAM Framework at the 3-digit sub-capability level. The mapping resulted in 370 pairings across 45 unique sub-capabilities. The RGPD Requirement Count total is for the number of RGPD requirements that aligned with each item. This count total allows a quick reference to focus on the sub-capabilities that are required for the Data Management fonction to support RGPD conformité.
Le CDO can use this analysis as the basis for a RGPD compliance checklist for the required support from the Data Management fonction. While not a direct correlation to criticality, those sub-capabilities with higher RGPD requirement alignment counts might infer prioritization if you are building your capability or working to close gaps in your existing capabilities.
| DCAM Composant | DCAM Sous-capacité | RGPD Req Ct |
| 2.0 Programme de gestion des données et financement Modèle | 2.5.2 Industry Standards Utilized | 2 |
| 2.7.1 Internal Communication Plans | 1 | |
| 2.7.2 External Communication Plans | 1 | |
| 2.7.3 Training Implemented | 1 | |
| 3.0 Entreprise & Architecture des données | 3.2.1 Requirements for Data Defined | 9 |
| 3.2.4 Governance Aligned | 11 | |
| 3.3.1 Domains Authorized | 8 | |
| 3.3.2 Repositories Inventoried | 8 | |
| 3.4.1 Entities Standardized | 12 | |
| 3.4.2 Business Definitions Approved | 12 | |
| 3.4.3 Taxonomies Used | 9 | |
| 3.4.4 Métadonnées Standardisé | 23 | |
| 4.0 Données & Architecture technologique | 4.1.1 DM Engaged in TA | 12 |
| 4.1.2 DM Engaged in Platform | 26 | |
| 4.1.4 DM Engaged in Data Distribution | 12 | |
| 4.1.5 Governance Aligned | 20 | |
| 4.2.1 Selection Strategy Defined | 11 | |
| 4.2.2 Roadmap Implemented | 11 | |
| 4.2.3 Governance Aligned | 11 | |
| 5.0 Qualité des données Gestion | 5.1.1 DQM Defined | 2 |
| 5.1.2 Roles & Responsibilities Implemented | 2 | |
| 5.1.4 Processes Auditable | 1 | |
| 5.2.1 Data Prioritized | 2 | |
| 5.2.2 Rules Defined | 16 | |
| 5.2.3 Data Measured | 2 | |
| 5.3.1 Remediation Implemented | 2 | |
| 5.3.2 RCA Defined | 2 | |
| 5.4.1 DQ Control Points | 2 | |
| 5.4.2 Data Issues Managed | 4 | |
| 5.4.3 Continuous Monitoring | 2 | |
| 6.0 Gouvernance des données | 6.2.1 P&S Complete | 13 |
| 6.2.2 P&S Partie prenante Approbation | 13 | |
| 6.2.3 P&S Executive Approval | 13 | |
| 6.2.4 P&S Cross-control Aligned | 16 | |
| 6.2.5 P&S Auditable | 10 | |
| 6.3.2 Approval Processes Established | 1 | |
| 6.3.4 Issue Management Operational | 4 | |
| 6.4.1 Data Domains Governed | 10 | |
| 6.4.2 Métadonnées Governed | 9 | |
| 6.5.1 Govern Access & Use | 12 | |
| 7.0 Environnement de contrôle des données | 7.1.1 DCE Established | 2 |
| 7.1.3 DM Capabilities Effectively Integrated | 2 | |
| 7.2.1 P&S Aligned | 10 | |
| 7.2.2 Engagement Routines Established | 9 | |
| 7.2.3 Cross-controls Applied | 9 | |
| Table 3: DCAM Sub-Capability Alignment | ||
Update to the Original DCAM – GDPR Detailed Analysis
The original best practice paper published in May 2018 presented the detailed analysis conducted by the Work Groupe in a very complex spreadsheet. The spreadsheet had the usual limitations of presenting the data in rows and columns with a 1:1 relationship. As a result, understanding all the analytic findings was challenging.
The EDM Council and Solidatus formed a strategic partnership. Using the knowledge graph modeling platform, an update of the original detailed analysis created the DCAM – GDPR Knowledge Model. The power of the tool presents the analytics in a much more user-friendly and understandable interface.
Le DCAM – RGPD Knowledge Modèle includes the following layers.
- RGPD Règlement – full-text presentation of the regulation
- RGPD Recitals – full-text presentation of the recitals
- Data Thematic Areas/Sub-component – interpretation layer of the regulation organized into thematic areas and sub-components
- RGPD Processus Requirements – identified processes required for the execution of the RGPD
- Data & Data Management Impacts – identified impacts of the regulation on data or the Data Management initiative
- Exigences en matière de données – categories of data required to support the execution of the regulation
- Data Management Requirements – requirements for Data Management capability to support the execution of the regulation
- Data Management Tools – a posting of the DCAM Framework document and collection of support resources
- DCAM v2 – full-text of the DCAM Cadre
- DCAM v1.3 – the prior version of the DCAM Framework with mapping to the new version which in-turn allowed the prior RGPD mapping to DCAM to create inherited mapping to DCAM v2
The default view has been designed by EDMC to introduce knowledge modeling content. However, the additional views emphasize various knowledge lineage concepts within the modèle. Access the views from the left-side menu.
- View 1: Knowledge Modèle Cadre – default view displaying the fully collapsed modèle structure
- View 2: RGPD Thematic Areas – mapping between the RGPD and a summary of the regulation organized into Thematic Areas
- View 3: RGPD Processus Requirements – mapping between the Thematic Areas and the business processes required to execute the RGPD
- View 4: Business Requirements for Data – mapping between the Thematic Areas and the business requirements for data
- View 5: Data Management Capability Requirements – mapping between the Thematic Areas and the requirements for Data Management capabilities
- View 6: Data Management Tools – mapping between the Data Management Capability Requirements and a set of required design criteria and tools
- View 7: RGPD à DCAM Alignment – mapping between the Data Management Capability Requirements and the DCAM Cadre
The knowledge modèle with these views allows a user to focus on the information presented in each of these layers. However, a user can create filters and views on the data using the options available on the left side margin. A search fonction is in the lower right corner. For an overview of all these functions, select the Help dropdown in the top right corner.
VIEW MODELEDM Council Member Customized Analysis Opportunity
With a full Solidatus license, Council members have an opportunity to leverage the standard-read only DCAM – RGPD Knowledge Modèle and extend the modèle internally to their organization. The extension of the modèle allows the organization to create customized layers specific to its regulatory processes, data elements, and Data Management Capability. With the internal execution of the regulation modeled and linked back to the source regulation and requirements, there is a complete record of compliance.
Industry Opportunity
There is a rampant proliferation of data privacy regulation emerging from geographic jurisdictions globally. As an industry, there is an opportunity to jointly reconcile these disparate data privacy regulations into a consolidated set of requirements. When analyzing a new regulation, identifying the overlap with requirements from the prior analyzed regulations is easier than starting from scratch. The overlap would not require further analysis. Thus, only the net new requirements would necessitate analysis and processing into the modèle. However, through the trace capability of the knowledge modèle, a use case with any combination of jurisdictions can easily be applied to produce just the requirements that apply to that use case.
There is an opportunity through the EDM Council to form a global coalition generating a standard modèle of Multi-jurisdictional Data Privacy Regulation Requirements. This modèle would include:
- Full-text regulatory models
- Industry vetted interpretation
- Industry-standard processus et exigences en matière de données
- Record of logic for legal and compliance review and approval
Design Requirements, Processes, & Tools – Best Practice Opportunities
While the DCAM™ Framework provides the Data Management foundation to support compliance to the RGPD, the Work Groupe did identify a set of additional focus areas where ongoing collaboration and knowledge share could produce further valuable best practice standards. A collection of prioritized proposed areas for GDPR: Best Practice Opportunities are available in a separate knowledge post.
In the absence of these best-practice standards, organizations must independently define their approach to each of these focus areas. The list of Best Practice Opportunities is a guide for an organization to ensure its Data Management processes and tools consider an approach to these focus areas.
The EDM Council maintains an ongoing effort to collect best practice executions from member organizations. Members should share their proposed best practice or raise other issues in the comments section at the end of this post.
Appendix
About the Work Group
In mid-2017, the Council held a RGPD webinar briefing for all members to level set a basic understanding of the regulation. The forum was also an open invitation for representatives from member organizations to join a Work Groupe to develop a best practice recommendation for the role of data management in RGPD conformité.
A Work Groupe was formed that contains approximately 40 members representing all aspects of the industry (GSIBs, SIFIs, buy-side, sell-side, geographic, consultants, vendors).
The project objective was to assess actual member organization experience for the development of best practices for the Data Management fonction to support compliance with RGPD.
The first step was to level set an understanding of the RGPD legislation. With a grounding of the requirements of the legislation, the Work Groupe then went through a logical analysis of the requirements as follows:
- Implications for data and the Data Management fonction
- Identified data and Data Management fonction exigences
- Alignment of requirements to the DCAM™ Framework
- Identify Best Practice “Opportunities” to provide specific guidance to support compliance with the regulation
Work Group Members – organization affiliation as of May 2018
Allen, Diahn – T Rowe Price
Arzaga, Raymund – Scotiabank
Atkin, Mike – EDMC
Baig, Haroon – Barclays
Bersie, Bret – US Bank
Bholasing, Jeffrey – ING
Blaszkowsky, David – Financial Sémantique Collaborative
Bottega, John – EDMC
Bruckman, Todd – AIG
Buoninfante, Christina – Mizuho
Cardoso, Karina – E&Y
Dinsmore, Chris – BBH
Dokuchaeva, Anastasia – ClauseMatch
Doyle, Martin – DQ Global
Giordano, Peter – Oppenheimer & Co.
Hankinson, Simon – Collibra
Inserro, Richard – PWC
Isaac, Gareth – Ortecha
Lancos, Peter – Exate Technology
Lawson, Andrew – Brickendon
Magora, Stephen – Credit Suisse
McDougall, Simon – Promontory Financial Groupe
McQueen, Mark – EDMC / FutureDATA
Miliffe, Christopher – E&Y
Naismith, Jonathan – Exate Technology
Rattan, Sonal – Exate Technology
Rende, Daniel – RBC
Rolles, Daniel – EXL Service
Ruston, Max – Charles Schwab
Sarkar, Agomoni
Singh, Ankita – Invesco
Snyder, Nathan – Brickendon
Sordo, Mauricio – ING
Spiegler, Yoni – Mizuho
St Clair, Micheline – RBC
Steenbeek, Irina – ABN AMRO
Stender, Werner – CapCO
Sukhia, Umang – AIG
Tanag, Marichelle – AIG
Thomas, Richard – Invesco
Timofeev, Paula – Wellington Management Co.
Van De Haar, Bert – ING
Wackwitz, Merel – ING
About the Authors
Marc McQueen, EDMC Senior Advisor-DCAM, led the Work Groupe facilitation and served as scribe of this report. Mark has over 20 years with a Fortune 25 GSIB, where he was the business Data Management Executive for the Wholesale Bank. In addition to Best Practice Program facilitation, he provides training and EDMC Advisory Services related to the adoption and execution of the DCAM Framework in member organizations.
Mark is DCAM v2 Accredited, DCAM Certified Trainer, Six Sigma Black Belt Certified, and Strategic Foresight Accredited – University of Houston.
Mark is a partner in Ortecha, an independent data consultancy located in the UK and the USA.
mmcqueen@edmcouncil.org
+1 615.308.6465
Philip Dutton is a Co-Founder of Solidatus, the leading lignée des données, business relationship and conceptual modeling tool that enables the effective management of data, people and processes. He is passionate about revolutionizing the data economy and helping organizations solve the ever-increasing demand for openness, transparency, and traceability needed in business today.
With over 20 years’ experience as a Senior System Architect, Engineer and Project Manager, much of his expertise comes from the management of global transformational change projects within the Financial Services sector. Philip has led the partnership between the EDM Council and Solidatus and has been instrumental in the development of the DCAM™ Advanced Knowledge Modeling Tool. He is DCAM v2 Accredited and a thought leader in shifting the data management paradigm towards sustainability.
Philip.dutton@solidatus.com
+44 7714761913
Simon McDougall, at the time of the original report, was the Managing Director and global lead of the Privacy and Data Protection Practice for Promontory Financial Groupe, provided specific subject matter expertise on the RGPD legislation.
Revision History
| Date | Authors | Description |
| May 2018 | Mark McQueen; Philip Dutton | Initial Publication |
| March 2020 | Marc McQueen | Knowledge Portal Release; Converted Excel Analysis into DCAM- RGPD Knowledge Modèle; Updated Analysis Commentary to Align with the Knowledge Modèle; Broke out the Opportunities for Best Practice into a Separate Article |
