Originally Published: May 2018; Revised: March 2020
Best Practice Scribe
Mark McQueen, EDM Council Senior Advisor-DCAM
Philip Dutton, Co-Founder, Solidatus
Executive Summary
Objectif
Le GDPR requires any business that stores and manages données personnelles on behalf of people in the European Union (EU) (e.g., prospects, clients, employés) to handle this information in a transparent and structured manner. The biggest misconception about GDPR is that it is only an EU jurisdiction legislation and, therefore, only requires compliance by EU businesses. The reality is that it applies globally to any organization offering goods or services to the European Union.
Recognizing the global reach and impact of the GDPR, this work provided several practical deliverables to the EDM Council member organizations.
- Create a basic understanding of the regulation and the role of the Data Management fonction to support compliance.
- Identify requirements for data and the Data Management fonction.
- Align the requirements to the EDM Council DCAM® Framework – providing a compliance roadmap specific to the Data Management fonction d'une organisation.
- Leverage member organization experience to develop best practices for the Data Management fonction to support GDPR compliance.
The concepts and analysis presented in this paper and supporting materials communicate value to all organizational stakeholders impacted by GDPR (e.g., data management professionals, business executives, executive leadership, and regulatory compliance practitioners).
Key Observations
- GDPR is not a Data Management legislation, but the Data Management control fonction is needed to support compliance with the legislation – giving the business and the personne concernée (e.g., prospects, clients, et employés) various obligations and rights around the management of données personnelles.
- Accountability for GDPR compliance is a Privacy activity. Most organizations already have a control fonction accountable for Privacy. How this is structured, and the hierarchy of the organizations varies significantly across industries. While there are some limited instances where the Privacy activity aligns with the Data Management fonction, that is not the norm.
- Le Directeur des données (CDO) and the Data Management fonction provide support to the Privacy control fonction accountable for GDPR compliance and the business units which must manage privacy within their business processus.
- If adoption of the DCAM Framework achieves an effective Data Management operating level, the foundation for supporting the data and Data Management requirements of GDPR compliance is largely in place. A challenge is the maturity and cohérence of execution across the organization because the processes and data impacted by GDPR exist in all areas of the organization that maintain personal data.
In addition to this best practice paper, the Work Groupe published a companion document that identified areas for GDPR: Best Practice Opportunities to enhance execution in the DCAM Framework. The EDM Council maintains an ongoing activity as part of the mission of the DCAM User Groupe to collect best practices aligned to the identified opportunities. The DCAM User Group is open to all individuals affiliated with EDM Council Member organizations.
More Information
- GDPR Regulation
- DCAM – GDPR Knowledge Model– the full GDPR requirements analysis with data and Data Management Impacts, requirements, and DCAM Framework alignment.
- Using a Best Practice Article
- EDM Council & the DCAM User Group
- The Knowledge Development Process
- About the Work Group
- Membres du groupe de travail
Issue
GDPR Overview
Le European Union (EU) General Data Protection Regulation (GDPR) is a response to the growth of the global entreprise, technological developments, and the huge surge in the volume of data collected by organizations worldwide. The intent is to harmonize data protection legislation across the Member States, establishing a single set of EU laws regarding the processing of données personnelles. Les GDPR is the first comprehensive overhaul of European Union data protection rules in 20 years. It repeals and replaces EU Data Protection Directive 95/46/EC and, in turn, the national transpositions of that directive at the EU Member State level. As an EU regulation, the GDPR is directly applicable in all 28 EU Member States without the need for legislation at the Member State level. The GDPR entered into force on May 25, 2016, and went live on May 25, 2018.
Le GDPR confers significant powers on regulators to investigate and enforce compliance. Non-compliance could result in a fine of up to 20 million euros or 4% of an organization’s total worldwide annual turnover (revenue), whichever is higher.
While the regulation is EU jurisdiction legislation, it applies globally to any organization offering goods or services into the European Union. Le GDPR requires any business that stores and manages données personnelles for people in the EU (e.g., prospects, clients, et employés) to handle this information in a transparent and structured manner.
Industry Current State
GDPR was the leading regulation to express an expanded set of data privacy requirements regarding the processing of données personnelles. In response to the new regulation, all impacted business entities began interpreting the impacts compliance with the regulation had on their business processes.
Promontory Financial Groupe served as the Regulatory subject matter expert for GDPR by sharing their interpretation of the regulation for the data practitioner members to identify requirements for data or Data Management.
GDPR went beyond any prior Data Privacy legislation globally and was viewed by many as the threshold standard, and as expected, other jurisdictions across the globe are introducing regulation patterned after GDPR. In the past two years, many jurisdictions have instituted similar Data Privacy regulations, while a large number of additional jurisdictions have draft regulations under consideration.
Below is a summary of the key provisions of GDPR, as defined by Promontory.
Summary of Key Provisions
A high-level summary of the key provisions of the GDPR aligns to the seven thematic areas below. These areas set the parameters for a more detailed analysis of the regulation in the following best practice description.
Best Practice
Stakeholders
Le GDPR stakeholders vary in an organization depending on how they align GDPR accountability to their Control Fonction framework. This best practice assumes there is a separate control fonction accountable for GDPR that defines requirements from the Data Management control fonction to achieve GDPR compliance.
La gestion des données fonction stakeholders include:
- Executive Leadership
- Business Executives
- Regulatory Compliance Practitioners
- Data Management Practitioners (Reference: Data Management Functional Construct)
- Directeur des données
- Responsable des données
- Executive Data Steward
- Business Data Steward
- Technical Data Steward
- Data Custodian
The remainder of this best practice focuses on the activities of the Data Management Practitioners.
Champ d'application
The scope set by the Work Groupe included a set of Design Concepts confined by the GDPR compliance requirements with impacts on data and the Data Management fonction.
| Customer -Centric Business Value |
| While GDPR is a regulatory mandate, if executed effectively, there is a significant business value derived from the resulting client concentricity and enhanced client relationship. The GDPR requires a processus of interaction with a client that delivers transparency, client empowerment, efficient portability, and la qualité des données. These are all opportunities to deepen the relationship and develop trust providing a positive client experience to drive profit and gain competitive advantage. Additionally, the availability of quality data enables client knowledge, cross-sell and upsell, and the opportunity to offer the right product at the right time in the client lifecycle. |
| The Role of the CDO & Data Management Fonction |
| Le CDO is NOT usually accountable for GDPR compliance; however, the CDO and the Data Management fonction still play a significant role in satisfying the GDPR. Data Management is a control fonction that needs to support the privacy control fonction accountable for GDPR compliance and the business units which must manage privacy within their business processus. The foundation for supporting the data and Data Management requirements of GDPR compliance are in place if the adoption of the DCAM Framework accomplishes and Atteint capability level. The challenge is maturity and cohérence of execution across the organization because the processes and data impacted by GDPR exist in many areas across the organization. |
| Alignment to Organizational Ecosystem |
| GDPR requires a risk framework where all the lines of defense (1st, 2nd, and 3rd) work in concert to ensure the organization achieves the outcome of valuing and protecting client privacy and data. The Data Management fonction must facilitate the collection of requirements from across a variety of ecosystem stakeholders (e.g., Privacy, Risk, Info Security, Data Retention, Technology, AML/KYC). |
| The Role of Technology |
| GDPR requires a strategic alignment between all data stakeholders, and Information Technology (IT) solutions must be a part of the overall solution. The best efforts requirement of GDPR requires the application of appropriate technical and organizational measures. A best practice approach may include technical automation to support Data Management activities such as data identification, lineage, and métadonnées. Also, beyond standard access controls, more advanced tools may be applied for data to be encrypted, tokenized, anonymized, or pseudonymized at rest, in transit and memory. These are technology solutions to restrict who is allowed to view the data and for what purposes. |
| The Role of Données de base |
| The Work Groupe acknowledges the value of Customer Master data – if client data is controlled in a single domaine des données across the organization the ability to achieve GDPR requirements are simplified and adds to the business case for the Customer Master. However, there are very few, if any, instances of mature Customer Master data domains. |
| Table 1: Design Concepts |
Description
Approach to Analysis
The Work Groupe approach was a logical analysis of the GDPR requirements for data and the Data Management fonction.
- Created a shared understanding of the regulatory requirements of GDPR
- Analyzed each requirement for implications for data or the Data Management fonction
- Interpreted the impacts into Data Management requirement statements
- Alignment of Data Management requirements to the DCAM Le cadre
- Identify Best Practice Opportunities to provide specific guidance to support compliance with the regulation
The Analysis
Key Terms
The following are key terms that are integral to understanding the GDPR and thus are included here for reference.
- Personne concernée
- Data Controller
- Data Processor
- Données personnelles
- Sensitive Personal Data
GDPR Requirements for Data and
Gestion des données
The Work Groupe adopted the Promontory Table 2: GDPR Analysis Framework. The framework uses the seven Thematic Areas as introduced above and organizes the GDPR data protection requirements into 22 components, as shown below. These 22 components are the basis for the detailed analysis conducted by the Work Groupe.
| Personne concernée Rights | |
| 1.1. | Transparency and Information Rights |
| 1.2. | Right of Access |
| 1.3. | Rectification, Erasure, and Restriction of Processing |
| 1.4. | Profilage & Automated Individual Decisions |
| 1.5. | Data Portability |
| Data Handling | |
| 2.1. | Purpose Limitation & Data minimization |
| 2.2. | Qualité des données & Proportionality |
| 2.3. | Legal Basis for Processing Données personnelles |
| 2.4. | Special Categories of Data |
| 2.5. | Controller – Processor Relationship |
| 2.6. | Controller – Controller Relationship |
| 2.7. | International Data Transfers |
| Training | |
| 3.1. | Training Program |
| Accountability & Governance | |
| 4.1. | DPOs, Compliance & Mutual Assistance |
| 4.2. | Records of Processing Activities |
| Security & Confidentiality | |
| 5.1. | Security of Processing |
| 5.2. | Breach Notifications to Data Protection Authorities |
| 5.3. | Breach Notifications to Data Subjects |
| Change Management | |
| 6.1. | Data Protection by Design and by Default |
| 6.2. | Data Protection Impact Assessments |
| 6.3. | Prior Consultation |
| Assurance & Monitoring | |
| 7.1. | Audit Program |
| Table 2: GDPR Analysis Framework | |
Data & Data Management
Function Requirements
A walkthrough of each component resulted in the identification of 32 implications for data and the Data Management fonction. Further analysis of the 32 implications defined a total of 48 Data Management requirement statements.
The Work Groupe adopted the hypothesis that the GDPR requirements impacting the Data Management fonction were NOT materially unique, and, therefore, the foundation provided by the EDM Council DCAM Framework would support GDPR compliance.
Successfully mapping the 48 defined Data Management requirements to the Capabilities and Sub-capabilities defined in the DCAM Framework validated the hypothesis. The next section contains an explanation of the mapping exercise.
The Work Groupe concluded that if an organization adopts the DCAM Framework and achieves a sufficient operating level, the foundation for supporting the data and Data Management requirements of GDPR compliance is largely in place. However, a challenge is the maturity and cohérence of execution across the organization because the processes and data impacted by GDPR exist in all areas of the organization that maintain données personnelles.
DCAM Framework Alignment
Capability Alignment
The 48 GDPR Data Management requirement statements mapped to the DCAM Framework at the 3-digit sub-capability level. The mapping resulted in 370 pairings across 45 unique sub-capabilities. The GDPR Requirement Count total is for the number of GDPR requirements that aligned with each item. This count total allows a quick reference to focus on the sub-capabilities that are required for the Data Management fonction to support GDPR compliance.
Le CDO can use this analysis as the basis for a GDPR compliance checklist for the required support from the Data Management fonction. While not a direct correlation to criticality, those sub-capabilities with higher GDPR requirement alignment counts might infer prioritization if you are building your capability or working to close gaps in your existing capabilities.
| DCAM Composant | DCAM Sous-capacité | GDPR Req Ct |
| 2.0 Programme de gestion des données et financement Modèle | 2.5.2 Industry Standards Utilized | 2 |
| 2.7.1 Internal Communication Plans | 1 | |
| 2.7.2 External Communication Plans | 1 | |
| 2.7.3 Training Implemented | 1 | |
| 3.0 Business & Architecture des données | 3.2.1 Requirements for Data Defined | 9 |
| 3.2.4 Governance Aligned | 11 | |
| 3.3.1 Domains Authorized | 8 | |
| 3.3.2 Repositories Inventoried | 8 | |
| 3.4.1 Entities Standardized | 12 | |
| 3.4.2 Business Definitions Approved | 12 | |
| 3.4.3 Taxonomies Used | 9 | |
| 3.4.4 Métadonnées Standardized | 23 | |
| 4.0 Données & Architecture technologique | 4.1.1 DM Engaged in TA | 12 |
| 4.1.2 DM Engaged in Platform | 26 | |
| 4.1.4 DM Engaged in Data Distribution | 12 | |
| 4.1.5 Governance Aligned | 20 | |
| 4.2.1 Selection Strategy Defined | 11 | |
| 4.2.2 Roadmap Implemented | 11 | |
| 4.2.3 Governance Aligned | 11 | |
| 5.0 Qualité des données Gestion | 5.1.1 DQM Defined | 2 |
| 5.1.2 Roles & Responsibilities Implemented | 2 | |
| 5.1.4 Processes Auditable | 1 | |
| 5.2.1 Data Prioritized | 2 | |
| 5.2.2 Rules Defined | 16 | |
| 5.2.3 Data Measured | 2 | |
| 5.3.1 Remediation Implemented | 2 | |
| 5.3.2 RCA Defined | 2 | |
| 5.4.1 DQ Control Points | 2 | |
| 5.4.2 Data Issues Managed | 4 | |
| 5.4.3 Continuous Monitoring | 2 | |
| 6.0 Gouvernance des données | 6.2.1 P&S Complete | 13 |
| 6.2.2 P&S Partie prenante Approval | 13 | |
| 6.2.3 P&S Executive Approval | 13 | |
| 6.2.4 P&S Cross-control Aligned | 16 | |
| 6.2.5 P&S Auditable | 10 | |
| 6.3.2 Approval Processes Established | 1 | |
| 6.3.4 Issue Management Operational | 4 | |
| 6.4.1 Data Domains Governed | 10 | |
| 6.4.2 Métadonnées Governed | 9 | |
| 6.5.1 Govern Access & Use | 12 | |
| 7.0 Environnement de contrôle des données | 7.1.1 DCE Established | 2 |
| 7.1.3 DM Capabilities Effectively Integrated | 2 | |
| 7.2.1 P&S Aligned | 10 | |
| 7.2.2 Engagement Routines Established | 9 | |
| 7.2.3 Cross-controls Applied | 9 | |
| Table 3: DCAM Sub-Capability Alignment | ||
Update to the Original DCAM – GDPR Detailed Analysis
The original best practice paper published in May 2018 presented the detailed analysis conducted by the Work Groupe in a very complex spreadsheet. The spreadsheet had the usual limitations of presenting the data in rows and columns with a 1:1 relationship. As a result, understanding all the analytic findings was challenging.
The EDM Council and Solidatus formed a strategic partnership. Using the knowledge graph modeling platform, an update of the original detailed analysis created the DCAM – GDPR Knowledge Model. The power of the tool presents the analytics in a much more user-friendly and understandable interface.
Le DCAM - GDPR Knowledge Modèle includes the following layers.
- GDPR Règlement – full-text presentation of the regulation
- GDPR Recitals – full-text presentation of the recitals
- Data Thematic Areas/Sub-component – interpretation layer of the regulation organized into thematic areas and sub-components
- GDPR Processus Requirements – identified processes required for the execution of the GDPR
- Data & Data Management Impacts – identified impacts of the regulation on data or the Data Management initiative
- Data Requirements – categories of data required to support the execution of the regulation
- Data Management Requirements – requirements for Data Management capability to support the execution of the regulation
- Data Management Tools – a posting of the DCAM Framework document and collection of support resources
- DCAM v2 – full-text of the DCAM Le cadre
- DCAM v1.3 – the prior version of the DCAM Framework with mapping to the new version which in-turn allowed the prior GDPR mapping to DCAM to create inherited mapping to DCAM v2
The default view has been designed by EDMC to introduce knowledge modeling content. However, the additional views emphasize various knowledge lineage concepts within the modèle. Access the views from the left-side menu.
- View 1: Knowledge Modèle Le cadre – default view displaying the fully collapsed modèle structure
- View 2: GDPR Thematic Areas – mapping between the GDPR and a summary of the regulation organized into Thematic Areas
- View 3: GDPR Processus Requirements – mapping between the Thematic Areas and the business processes required to execute the GDPR
- View 4: Business Requirements for Data – mapping between the Thematic Areas and the business requirements for data
- View 5: Data Management Capability Requirements – mapping between the Thematic Areas and the requirements for Data Management capabilities
- View 6: Data Management Tools – mapping between the Data Management Capability Requirements and a set of required design criteria and tools
- View 7: GDPR à DCAM Alignment – mapping between the Data Management Capability Requirements and the DCAM Le cadre
The knowledge modèle with these views allows a user to focus on the information presented in each of these layers. However, a user can create filters and views on the data using the options available on the left side margin. A search fonction is in the lower right corner. For an overview of all these functions, select the Help dropdown in the top right corner.
VIEW MODELEDM Council Member Customized Analysis Opportunity
With a full Solidatus license, Council members have an opportunity to leverage the standard-read only DCAM - GDPR Knowledge Modèle and extend the modèle internally to their organization. The extension of the modèle allows the organization to create customized layers specific to its regulatory processes, data elements, and Data Management Capability. With the internal execution of the regulation modeled and linked back to the source regulation and requirements, there is a complete record of compliance.
Industry Opportunity
There is a rampant proliferation of data privacy regulation emerging from geographic jurisdictions globally. As an industry, there is an opportunity to jointly reconcile these disparate data privacy regulations into a consolidated set of requirements. When analyzing a new regulation, identifying the overlap with requirements from the prior analyzed regulations is easier than starting from scratch. The overlap would not require further analysis. Thus, only the net new requirements would necessitate analysis and processing into the modèle. However, through the trace capability of the knowledge modèle, a use case with any combination of jurisdictions can easily be applied to produce just the requirements that apply to that use case.
There is an opportunity through the EDM Council to form a global coalition generating a standard modèle of Multi-jurisdictional Data Privacy Regulation Requirements. This modèle would include:
- Full-text regulatory models
- Industry vetted interpretation
- Industry-standard processus et les exigences en matière de données
- Record of logic for legal and compliance review and approval
Design Requirements, Processes, & Tools – Best Practice Opportunities
While the DCAM™ Framework provides the Data Management foundation to support compliance to the GDPR, the Work Groupe did identify a set of additional focus areas where ongoing collaboration and knowledge share could produce further valuable best practice standards. A collection of prioritized proposed areas for GDPR: Best Practice Opportunities are available in a separate knowledge post.
In the absence of these best-practice standards, organizations must independently define their approach to each of these focus areas. The list of Best Practice Opportunities is a guide for an organization to ensure its Data Management processes and tools consider an approach to these focus areas.
The EDM Council maintains an ongoing effort to collect best practice executions from member organizations. Members should share their proposed best practice or raise other issues in the comments section at the end of this post.
Appendix
About the Work Group
In mid-2017, the Council held a GDPR webinar briefing for all members to level set a basic understanding of the regulation. The forum was also an open invitation for representatives from member organizations to join a Work Groupe to develop a best practice recommendation for the role of data management in GDPR compliance.
A Work Groupe was formed that contains approximately 40 members representing all aspects of the industry (GSIBs, SIFIs, buy-side, sell-side, geographic, consultants, vendors).
The project objective was to assess actual member organization experience for the development of best practices for the Data Management fonction to support compliance with GDPR.
The first step was to level set an understanding of the GDPR legislation. With a grounding of the requirements of the legislation, the Work Groupe then went through a logical analysis of the requirements as follows:
- Implications for data and the Data Management fonction
- Identified data and Data Management fonction requirements
- Alignment of requirements to the DCAM™ Framework
- Identify Best Practice “Opportunities” to provide specific guidance to support compliance with the regulation
Work Group Members – organization affiliation as of May 2018
Allen, Diahn – T Rowe Price
Arzaga, Raymund – Scotiabank
Atkin, Mike – EDMC
Baig, Haroon – Barclays
Bersie, Bret – US Bank
Bholasing, Jeffrey – ING
Blaszkowsky, David – Financial Semantics Collaborative
Bottega, John – EDMC
Bruckman, Todd – AIG
Buoninfante, Christina – Mizuho
Cardoso, Karina – E&Y
Dinsmore, Chris – BBH
Dokuchaeva, Anastasia – ClauseMatch
Doyle, Martin – DQ Global
Giordano, Peter – Oppenheimer & Co.
Hankinson, Simon – Collibra
Inserro, Richard – PWC
Isaac, Gareth – Ortecha
Lancos, Peter – Exate Technology
Lawson, Andrew – Brickendon
Magora, Stephen – Credit Suisse
McDougall, Simon – Promontory Financial Groupe
McQueen, Mark – EDMC / FutureDATA
Miliffe, Christopher – E&Y
Naismith, Jonathan – Exate Technology
Rattan, Sonal – Exate Technology
Rende, Daniel – RBC
Rolles, Daniel – EXL Service
Ruston, Max – Charles Schwab
Sarkar, Agomoni
Singh, Ankita – Invesco
Snyder, Nathan – Brickendon
Sordo, Mauricio – ING
Spiegler, Yoni – Mizuho
St Clair, Micheline – RBC
Steenbeek, Irina – ABN AMRO
Stender, Werner – CapCO
Sukhia, Umang – AIG
Tanag, Marichelle – AIG
Thomas, Richard – Invesco
Timofeev, Paula – Wellington Management Co.
Van De Haar, Bert – ING
Wackwitz, Merel – ING
About the Authors
Mark McQueen, EDMC Senior Advisor-DCAM, led the Work Groupe facilitation and served as scribe of this report. Mark has over 20 years with a Fortune 25 GSIB, where he was the business Data Management Executive for the Wholesale Bank. In addition to Best Practice Program facilitation, he provides training and EDMC Advisory Services related to the adoption and execution of the DCAM Framework in member organizations.
Mark is DCAM v2 Accredited, DCAM Certified Trainer, Six Sigma Black Belt Certified, and Strategic Foresight Accredited – University of Houston.
Mark is a partner in Ortecha, an independent data consultancy located in the UK and the USA.
mmcqueen@edmcouncil.org
+1 615.308.6465
Philip Dutton is a Co-Founder of Solidatus, the leading lignée de données, business relationship and conceptual modeling tool that enables the effective management of data, people and processes. He is passionate about revolutionizing the data economy and helping organizations solve the ever-increasing demand for openness, transparency, and traceability needed in business today.
With over 20 years’ experience as a Senior System Architect, Engineer and Project Manager, much of his expertise comes from the management of global transformational change projects within the Financial Services sector. Philip has led the partnership between the EDM Council and Solidatus and has been instrumental in the development of the DCAM™ Advanced Knowledge Modeling Tool. He is DCAM v2 Accredited and a thought leader in shifting the data management paradigm towards sustainability.
Philip.dutton@solidatus.com
+44 7714761913
Simon McDougall, at the time of the original report, was the Managing Director and global lead of the Privacy and Data Protection Practice for Promontory Financial Groupe, provided specific subject matter expertise on the GDPR legislation.
Revision History
| Date | Authors | Description |
| May 2018 | Mark McQueen; Philip Dutton | Initial Publication |
| March 2020 | Mark McQueen | Knowledge Portal Release; Converted Excel Analysis into DCAM- GDPR Knowledge Modèle; Updated Analysis Commentary to Align with the Knowledge Modèle; Broke out the Opportunities for Best Practice into a Separate Article |
