Originally Published: May 2018; Revised: March 2020
Best Practice Scribe
Mark McQueen, EDM Council Senior Advisor-DCAM
Philip Dutton, Co-Founder, Solidatus
Executive Summary
Objective
The GDPR requires any business that stores and manages personal data on behalf of people in the European Union (EU) (e.g., prospects, customers, employees) to handle this information in a transparent and structured manner. The biggest misconception about GDPR is that it is only an EU jurisdiction legislation and, therefore, only requires compliance by EU businesses. The reality is that it applies globally to any organization offering goods or services to the European Union.
Recognizing the global reach and impact of the GDPR, this work provided several practical deliverables to the EDM Council member organizations.
- Create a basic understanding of the regulation and the role of the Data Management function to support compliance.
- Identify requirements for data and the Data Management function.
- Align the requirements to the EDM Council DCAM® Framework – providing a compliance roadmap specific to the Data Management function of an organization.
- Leverage member organization experience to develop best practices for the Data Management function to support GDPR compliance.
The concepts and analysis presented in this paper and supporting materials communicate value to all organizational stakeholders impacted by GDPR (e.g., data management professionals, business executives, executive leadership, and regulatory compliance practitioners).
Key Observations
- GDPR is not a Data Management legislation, but the Data Management control function is needed to support compliance with the legislation – giving the business and the data subject (e.g., prospects, customers, and employees) various obligations and rights around the management of personal data.
- Accountability for GDPR compliance is a Privacy activity. Most organizations already have a control function accountable for Privacy. How this is structured, and the hierarchy of the organizations varies significantly across industries. While there are some limited instances where the Privacy activity aligns with the Data Management function, that is not the norm.
- The Chief Data Officer (CDO) and the Data Management function provide support to the Privacy control function accountable for GDPR compliance and the business units which must manage privacy within their business process.
- If adoption of the DCAM Framework achieves an effective Data Management operating level, the foundation for supporting the data and Data Management requirements of GDPR compliance is largely in place. A challenge is the maturity and consistency of execution across the organization because the processes and data impacted by GDPR exist in all areas of the organization that maintain personal data.
In addition to this best practice paper, the Work Group published a companion document that identified areas for GDPR: Best Practice Opportunities to enhance execution in the DCAM Framework. The EDM Council maintains an ongoing activity as part of the mission of the DCAM User Group to collect best practices aligned to the identified opportunities. The DCAM User Group is open to all individuals affiliated with EDM Council Member organizations.
More Information
- GDPR Regulation
- DCAM – GDPR Knowledge Model– the full GDPR requirements analysis with data and Data Management Impacts, requirements, and DCAM Framework alignment.
- Using a Best Practice Article
- EDM Council & the DCAM User Group
- The Knowledge Development Process
- About the Work Group
- Work Group Members
Issue
GDPR Overview
The European Union (EU) General Data Protection Regulation (GDPR) is a response to the growth of the global enterprise, technological developments, and the huge surge in the volume of data collected by organizations worldwide. The intent is to harmonize data protection legislation across the Member States, establishing a single set of EU laws regarding the processing of personal data. The GDPR is the first comprehensive overhaul of European Union data protection rules in 20 years. It repeals and replaces EU Data Protection Directive 95/46/EC and, in turn, the national transpositions of that directive at the EU Member State level. As an EU regulation, the GDPR is directly applicable in all 28 EU Member States without the need for legislation at the Member State level. The GDPR entered into force on May 25, 2016, and went live on May 25, 2018.
The GDPR confers significant powers on regulators to investigate and enforce compliance. Non-compliance could result in a fine of up to 20 million euros or 4% of an organization’s total worldwide annual turnover (revenue), whichever is higher.
While the regulation is EU jurisdiction legislation, it applies globally to any organization offering goods or services into the European Union. The GDPR requires any business that stores and manages personal data for people in the EU (e.g., prospects, customers, and employees) to handle this information in a transparent and structured manner.
Industry Current State
GDPR was the leading regulation to express an expanded set of data privacy requirements regarding the processing of personal data. In response to the new regulation, all impacted business entities began interpreting the impacts compliance with the regulation had on their business processes.
Promontory Financial Group served as the Regulatory subject matter expert for GDPR by sharing their interpretation of the regulation for the data practitioner members to identify requirements for data or Data Management.
GDPR went beyond any prior Data Privacy legislation globally and was viewed by many as the threshold standard, and as expected, other jurisdictions across the globe are introducing regulation patterned after GDPR. In the past two years, many jurisdictions have instituted similar Data Privacy regulations, while a large number of additional jurisdictions have draft regulations under consideration.
Below is a summary of the key provisions of GDPR, as defined by Promontory.
Summary of Key Provisions
A high-level summary of the key provisions of the GDPR aligns to the seven thematic areas below. These areas set the parameters for a more detailed analysis of the regulation in the following best practice description.
Best Practice
Stakeholders
The GDPR stakeholders vary in an organization depending on how they align GDPR accountability to their Control Function framework. This best practice assumes there is a separate control function accountable for GDPR that defines requirements from the Data Management control function to achieve GDPR compliance.
The Data Management function stakeholders include:
- Executive Leadership
- Business Executives
- Regulatory Compliance Practitioners
- Data Management Practitioners (Reference: Data Management Functional Construct)
- Chief Data Officer
- Data Officer
- Executive Data Steward
- Business Data Steward
- Technical Data Steward
- Data Custodian
The remainder of this best practice focuses on the activities of the Data Management Practitioners.
Scope
The scope set by the Work Group included a set of Design Concepts confined by the GDPR compliance requirements with impacts on data and the Data Management function.
| Customer -Centric Business Value |
| While GDPR is a regulatory mandate, if executed effectively, there is a significant business value derived from the resulting customer concentricity and enhanced customer relationship. The GDPR requires a process of interaction with a customer that delivers transparency, customer empowerment, efficient portability, and data quality. These are all opportunities to deepen the relationship and develop trust providing a positive customer experience to drive profit and gain competitive advantage. Additionally, the availability of quality data enables customer knowledge, cross-sell and upsell, and the opportunity to offer the right product at the right time in the customer lifecycle. |
| The Role of the CDO & Data Management Function |
| The CDO is NOT usually accountable for GDPR compliance; however, the CDO and the Data Management function still play a significant role in satisfying the GDPR. Data Management is a control function that needs to support the privacy control function accountable for GDPR compliance and the business units which must manage privacy within their business process. The foundation for supporting the data and Data Management requirements of GDPR compliance are in place if the adoption of the DCAM Framework accomplishes and Achieved capability level. The challenge is maturity and consistency of execution across the organization because the processes and data impacted by GDPR exist in many areas across the organization. |
| Alignment to Organizational Ecosystem |
| GDPR requires a risk framework where all the lines of defense (1st, 2nd, and 3rd) work in concert to ensure the organization achieves the outcome of valuing and protecting customer privacy and data. The Data Management function must facilitate the collection of requirements from across a variety of ecosystem stakeholders (e.g., Privacy, Risk, Info Security, Data Retention, Technology, AML/KYC). |
| The Role of Technology |
| GDPR requires a strategic alignment between all data stakeholders, and Information Technology (IT) solutions must be a part of the overall solution. The best efforts requirement of GDPR requires the application of appropriate technical and organizational measures. A best practice approach may include technical automation to support Data Management activities such as data identification, lineage, and metadata. Also, beyond standard access controls, more advanced tools may be applied for data to be encrypted, tokenized, anonymized, or pseudonymized at rest, in transit and memory. These are technology solutions to restrict who is allowed to view the data and for what purposes. |
| The Role of Master Data |
| The Work Group acknowledges the value of Customer Master data – if customer data is controlled in a single data domain across the organization the ability to achieve GDPR requirements are simplified and adds to the business case for the Customer Master. However, there are very few, if any, instances of mature Customer Master data domains. |
| Table 1: Design Concepts |
Description
Approach to Analysis
The Work Group approach was a logical analysis of the GDPR requirements for data and the Data Management function.
- Created a shared understanding of the regulatory requirements of GDPR
- Analyzed each requirement for implications for data or the Data Management function
- Interpreted the impacts into Data Management requirement statements
- Alignment of Data Management requirements to the DCAM Framework
- Identify Best Practice Opportunities to provide specific guidance to support compliance with the regulation
The Analysis
Key Terms
The following are key terms that are integral to understanding the GDPR and thus are included here for reference.
- Data Subject
- Data Controller
- Data Processor
- Personal Data
- Sensitive Personal Data
GDPR Requirements for Data and
Data Management
The Work Group adopted the Promontory Table 2: GDPR Analysis Framework. The framework uses the seven Thematic Areas as introduced above and organizes the GDPR data protection requirements into 22 components, as shown below. These 22 components are the basis for the detailed analysis conducted by the Work Group.
| Data Subject Rights | |
| 1.1. | Transparency and Information Rights |
| 1.2. | Right of Access |
| 1.3. | Rectification, Erasure, and Restriction of Processing |
| 1.4. | Profiling & Automated Individual Decisions |
| 1.5. | Data Portability |
| Data Handling | |
| 2.1. | Purpose Limitation & Data minimization |
| 2.2. | Data Quality & Proportionality |
| 2.3. | Legal Basis for Processing Personal Data |
| 2.4. | Special Categories of Data |
| 2.5. | Controller – Processor Relationship |
| 2.6. | Controller – Controller Relationship |
| 2.7. | International Data Transfers |
| Training | |
| 3.1. | Training Program |
| Accountability & Governance | |
| 4.1. | DPOs, Compliance & Mutual Assistance |
| 4.2. | Records of Processing Activities |
| Security & Confidentiality | |
| 5.1. | Security of Processing |
| 5.2. | Breach Notifications to Data Protection Authorities |
| 5.3. | Breach Notifications to Data Subjects |
| Change Management | |
| 6.1. | Data Protection by Design and by Default |
| 6.2. | Data Protection Impact Assessments |
| 6.3. | Prior Consultation |
| Assurance & Monitoring | |
| 7.1. | Audit Program |
| Table 2: GDPR Analysis Framework | |
Data & Data Management
Function Requirements
A walkthrough of each component resulted in the identification of 32 implications for data and the Data Management function. Further analysis of the 32 implications defined a total of 48 Data Management requirement statements.
The Work Group adopted the hypothesis that the GDPR requirements impacting the Data Management function were NOT materially unique, and, therefore, the foundation provided by the EDM Council DCAM Framework would support GDPR compliance.
Successfully mapping the 48 defined Data Management requirements to the Capabilities and Sub-capabilities defined in the DCAM Framework validated the hypothesis. The next section contains an explanation of the mapping exercise.
The Work Group concluded that if an organization adopts the DCAM Framework and achieves a sufficient operating level, the foundation for supporting the data and Data Management requirements of GDPR compliance is largely in place. However, a challenge is the maturity and consistency of execution across the organization because the processes and data impacted by GDPR exist in all areas of the organization that maintain personal data.
DCAM Framework Alignment
Capability Alignment
The 48 GDPR Data Management requirement statements mapped to the DCAM Framework at the 3-digit sub-capability level. The mapping resulted in 370 pairings across 45 unique sub-capabilities. The GDPR Requirement Count total is for the number of GDPR requirements that aligned with each item. This count total allows a quick reference to focus on the sub-capabilities that are required for the Data Management function to support GDPR compliance.
The CDO can use this analysis as the basis for a GDPR compliance checklist for the required support from the Data Management function. While not a direct correlation to criticality, those sub-capabilities with higher GDPR requirement alignment counts might infer prioritization if you are building your capability or working to close gaps in your existing capabilities.
| DCAM Component | DCAM Sub-Capability | GDPR Req Ct |
| 2.0 Data Management Program & Funding Model | 2.5.2 Industry Standards Utilized | 2 |
| 2.7.1 Internal Communication Plans | 1 | |
| 2.7.2 External Communication Plans | 1 | |
| 2.7.3 Training Implemented | 1 | |
| 3.0 Business & Data Architecture | 3.2.1 Requirements for Data Defined | 9 |
| 3.2.4 Governance Aligned | 11 | |
| 3.3.1 Domains Authorized | 8 | |
| 3.3.2 Repositories Inventoried | 8 | |
| 3.4.1 Entities Standardized | 12 | |
| 3.4.2 Business Definitions Approved | 12 | |
| 3.4.3 Taxonomies Used | 9 | |
| 3.4.4 Metadata Standardized | 23 | |
| 4.0 Data & Technology Architecture | 4.1.1 DM Engaged in TA | 12 |
| 4.1.2 DM Engaged in Platform | 26 | |
| 4.1.4 DM Engaged in Data Distribution | 12 | |
| 4.1.5 Governance Aligned | 20 | |
| 4.2.1 Selection Strategy Defined | 11 | |
| 4.2.2 Roadmap Implemented | 11 | |
| 4.2.3 Governance Aligned | 11 | |
| 5.0 Data Quality Management | 5.1.1 DQM Defined | 2 |
| 5.1.2 Roles & Responsibilities Implemented | 2 | |
| 5.1.4 Processes Auditable | 1 | |
| 5.2.1 Data Prioritized | 2 | |
| 5.2.2 Rules Defined | 16 | |
| 5.2.3 Data Measured | 2 | |
| 5.3.1 Remediation Implemented | 2 | |
| 5.3.2 RCA Defined | 2 | |
| 5.4.1 DQ Control Points | 2 | |
| 5.4.2 Data Issues Managed | 4 | |
| 5.4.3 Continuous Monitoring | 2 | |
| 6.0 Data Governance | 6.2.1 P&S Complete | 13 |
| 6.2.2 P&S Stakeholder Approval | 13 | |
| 6.2.3 P&S Executive Approval | 13 | |
| 6.2.4 P&S Cross-control Aligned | 16 | |
| 6.2.5 P&S Auditable | 10 | |
| 6.3.2 Approval Processes Established | 1 | |
| 6.3.4 Issue Management Operational | 4 | |
| 6.4.1 Data Domains Governed | 10 | |
| 6.4.2 Metadata Governed | 9 | |
| 6.5.1 Govern Access & Use | 12 | |
| 7.0 Data Control Environment | 7.1.1 DCE Established | 2 |
| 7.1.3 DM Capabilities Effectively Integrated | 2 | |
| 7.2.1 P&S Aligned | 10 | |
| 7.2.2 Engagement Routines Established | 9 | |
| 7.2.3 Cross-controls Applied | 9 | |
| Table 3: DCAM Sub-Capability Alignment | ||
Update to the Original DCAM – GDPR Detailed Analysis
The original best practice paper published in May 2018 presented the detailed analysis conducted by the Work Group in a very complex spreadsheet. The spreadsheet had the usual limitations of presenting the data in rows and columns with a 1:1 relationship. As a result, understanding all the analytic findings was challenging.
The EDM Council and Solidatus formed a strategic partnership. Using the knowledge graph modeling platform, an update of the original detailed analysis created the DCAM – GDPR Knowledge Model. The power of the tool presents the analytics in a much more user-friendly and understandable interface.
The DCAM – GDPR Knowledge Model includes the following layers.
- GDPR Regulation – full-text presentation of the regulation
- GDPR Recitals – full-text presentation of the recitals
- Data Thematic Areas/Sub-component – interpretation layer of the regulation organized into thematic areas and sub-components
- GDPR Process Requirements – identified processes required for the execution of the GDPR
- Data & Data Management Impacts – identified impacts of the regulation on data or the Data Management initiative
- Data Requirements – categories of data required to support the execution of the regulation
- Data Management Requirements – requirements for Data Management capability to support the execution of the regulation
- Data Management Tools – a posting of the DCAM Framework document and collection of support resources
- DCAM v2 – full-text of the DCAM Framework
- DCAM v1.3 – the prior version of the DCAM Framework with mapping to the new version which in-turn allowed the prior GDPR mapping to DCAM to create inherited mapping to DCAM v2
The default view has been designed by EDMC to introduce knowledge modeling content. However, the additional views emphasize various knowledge lineage concepts within the model. Access the views from the left-side menu.
- View 1: Knowledge Model Framework – default view displaying the fully collapsed model structure
- View 2: GDPR Thematic Areas – mapping between the GDPR and a summary of the regulation organized into Thematic Areas
- View 3: GDPR Process Requirements – mapping between the Thematic Areas and the business processes required to execute the GDPR
- View 4: Business Requirements for Data – mapping between the Thematic Areas and the business requirements for data
- View 5: Data Management Capability Requirements – mapping between the Thematic Areas and the requirements for Data Management capabilities
- View 6: Data Management Tools – mapping between the Data Management Capability Requirements and a set of required design criteria and tools
- View 7: GDPR to DCAM Alignment – mapping between the Data Management Capability Requirements and the DCAM Framework
The knowledge model with these views allows a user to focus on the information presented in each of these layers. However, a user can create filters and views on the data using the options available on the left side margin. A search function is in the lower right corner. For an overview of all these functions, select the Help dropdown in the top right corner.
VIEW MODELEDM Council Member Customized Analysis Opportunity
With a full Solidatus license, Council members have an opportunity to leverage the standard-read only DCAM – GDPR Knowledge Model and extend the model internally to their organization. The extension of the model allows the organization to create customized layers specific to its regulatory processes, data elements, and Data Management Capability. With the internal execution of the regulation modeled and linked back to the source regulation and requirements, there is a complete record of compliance.
Industry Opportunity
There is a rampant proliferation of data privacy regulation emerging from geographic jurisdictions globally. As an industry, there is an opportunity to jointly reconcile these disparate data privacy regulations into a consolidated set of requirements. When analyzing a new regulation, identifying the overlap with requirements from the prior analyzed regulations is easier than starting from scratch. The overlap would not require further analysis. Thus, only the net new requirements would necessitate analysis and processing into the model. However, through the trace capability of the knowledge model, a use case with any combination of jurisdictions can easily be applied to produce just the requirements that apply to that use case.
There is an opportunity through the EDM Council to form a global coalition generating a standard model of Multi-jurisdictional Data Privacy Regulation Requirements. This model would include:
- Full-text regulatory models
- Industry vetted interpretation
- Industry-standard process and data requirements
- Record of logic for legal and compliance review and approval
Design Requirements, Processes, & Tools – Best Practice Opportunities
While the DCAM™ Framework provides the Data Management foundation to support compliance to the GDPR, the Work Group did identify a set of additional focus areas where ongoing collaboration and knowledge share could produce further valuable best practice standards. A collection of prioritized proposed areas for GDPR: Best Practice Opportunities are available in a separate knowledge post.
In the absence of these best-practice standards, organizations must independently define their approach to each of these focus areas. The list of Best Practice Opportunities is a guide for an organization to ensure its Data Management processes and tools consider an approach to these focus areas.
The EDM Council maintains an ongoing effort to collect best practice executions from member organizations. Members should share their proposed best practice or raise other issues in the comments section at the end of this post.
Appendix
About the Work Group
In mid-2017, the Council held a GDPR webinar briefing for all members to level set a basic understanding of the regulation. The forum was also an open invitation for representatives from member organizations to join a Work Group to develop a best practice recommendation for the role of data management in GDPR compliance.
A Work Group was formed that contains approximately 40 members representing all aspects of the industry (GSIBs, SIFIs, buy-side, sell-side, geographic, consultants, vendors).
The project objective was to assess actual member organization experience for the development of best practices for the Data Management function to support compliance with GDPR.
The first step was to level set an understanding of the GDPR legislation. With a grounding of the requirements of the legislation, the Work Group then went through a logical analysis of the requirements as follows:
- Implications for data and the Data Management function
- Identified data and Data Management function requirements
- Alignment of requirements to the DCAM™ Framework
- Identify Best Practice “Opportunities” to provide specific guidance to support compliance with the regulation
Work Group Members – organization affiliation as of May 2018
Allen, Diahn – T Rowe Price
Arzaga, Raymund – Scotiabank
Atkin, Mike – EDMC
Baig, Haroon – Barclays
Bersie, Bret – US Bank
Bholasing, Jeffrey – ING
Blaszkowsky, David – Financial Semantics Collaborative
Bottega, John – EDMC
Bruckman, Todd – AIG
Buoninfante, Christina – Mizuho
Cardoso, Karina – E&Y
Dinsmore, Chris – BBH
Dokuchaeva, Anastasia – ClauseMatch
Doyle, Martin – DQ Global
Giordano, Peter – Oppenheimer & Co.
Hankinson, Simon – Collibra
Inserro, Richard – PWC
Isaac, Gareth – Ortecha
Lancos, Peter – Exate Technology
Lawson, Andrew – Brickendon
Magora, Stephen – Credit Suisse
McDougall, Simon – Promontory Financial Group
McQueen, Mark – EDMC / FutureDATA
Miliffe, Christopher – E&Y
Naismith, Jonathan – Exate Technology
Rattan, Sonal – Exate Technology
Rende, Daniel – RBC
Rolles, Daniel – EXL Service
Ruston, Max – Charles Schwab
Sarkar, Agomoni
Singh, Ankita – Invesco
Snyder, Nathan – Brickendon
Sordo, Mauricio – ING
Spiegler, Yoni – Mizuho
St Clair, Micheline – RBC
Steenbeek, Irina – ABN AMRO
Stender, Werner – CapCO
Sukhia, Umang – AIG
Tanag, Marichelle – AIG
Thomas, Richard – Invesco
Timofeev, Paula – Wellington Management Co.
Van De Haar, Bert – ING
Wackwitz, Merel – ING
About the Authors
Mark McQueen, EDMC Senior Advisor-DCAM, led the Work Group facilitation and served as scribe of this report. Mark has over 20 years with a Fortune 25 GSIB, where he was the business Data Management Executive for the Wholesale Bank. In addition to Best Practice Program facilitation, he provides training and EDMC Advisory Services related to the adoption and execution of the DCAM Framework in member organizations.
Mark is DCAM v2 Accredited, DCAM Certified Trainer, Six Sigma Black Belt Certified, and Strategic Foresight Accredited – University of Houston.
Mark is a partner in Ortecha, an independent data consultancy located in the UK and the USA.
mmcqueen@edmcouncil.org
+1 615.308.6465
Philip Dutton is a Co-Founder of Solidatus, the leading data lineage, business relationship and conceptual modeling tool that enables the effective management of data, people and processes. He is passionate about revolutionizing the data economy and helping organizations solve the ever-increasing demand for openness, transparency, and traceability needed in business today.
With over 20 years’ experience as a Senior System Architect, Engineer and Project Manager, much of his expertise comes from the management of global transformational change projects within the Financial Services sector. Philip has led the partnership between the EDM Council and Solidatus and has been instrumental in the development of the DCAM™ Advanced Knowledge Modeling Tool. He is DCAM v2 Accredited and a thought leader in shifting the data management paradigm towards sustainability.
Philip.dutton@solidatus.com
+44 7714761913
Simon McDougall, at the time of the original report, was the Managing Director and global lead of the Privacy and Data Protection Practice for Promontory Financial Group, provided specific subject matter expertise on the GDPR legislation.
Revision History
| Date | Authors | Description |
| May 2018 | Mark McQueen; Philip Dutton | Initial Publication |
| March 2020 | Mark McQueen | Knowledge Portal Release; Converted Excel Analysis into DCAM- GDPR Knowledge Model; Updated Analysis Commentary to Align with the Knowledge Model; Broke out the Opportunities for Best Practice into a Separate Article |