Do you have traceability on your data for GDPR

Do you have traceability on your data for GDPR

Do you have traceability on your data for GDPR?

Open any book or website on implementing GDPR (our GDPR Planning White Paper is no different) and it will say that you need an audit of personal data.  An audit will tell you about the personal data you hold.  It will soon force you to document what data you hold, where you hold it, what it is used for and who has access to it.  Many organisations are finding that the definition of personal data means that it proliferates across many if not all they systems that they run.  Remember personally identifiable information is very broadly defined (*I have reproduced the definition at the bottom of this blog if you are interested).

To hold personal data in future you will need to know the lawful basis for holding it.  The most compelling are either to fulfil a contract or consent.  Where the lawful reason for holding it is consent, what consent was obtained (i.e. what did they consent to you doing with their data) and when.

What you will really need going forward is traceability

What you will really need going forward is traceability.  Do you have your systems fully documented?  Data will frequently move through different systems.  Do you have full traceability of all personal data in your Business Intelligence, Reporting and Analytics for example?  If a data subject requests a change to inaccurate data are you sure that the change will be replicated across all your systems.  Are you in control of the data used in your development and test environments?

There are approaches that help protect you.  Aggregation, for example, will anonymize personally identifiable information, while transforming data into actionable information.  You still need to ensure you have full documentation.

The audit will tell you what you have at the time of the audit.  But the audit is static information.  As data moves around your organisation you need to know what changes have been made and where it has gone.  In the future when the Regulators arrive at your door will you be able to answer the questions: where does my data come from, and where is it used?  The answer needs to be about the current position not as it was when the audit took place.

There are well established techniques to help understand data lineage

We believe that there are well established techniques to help understand data lineage and impact analysis.  These are inherent to Data Vault data warehouse design.  Hence the value of the warehouse for personal data to manage your personally identifiable information.

* GDPR Article 4 defines personal data as any information relating to “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.